MacInTouch Reader Reports

Security: Apple

Older entries...

Dec. 27, 2014
Dec. 28, 2014
Dec. 29, 2014
Dec. 30, 2014
Jan. 1, 2015
Jan. 2, 2015
Jan. 5, 2015
Jan. 8, 2015
Jan. 9, 2015
Jan. 10, 2015
Jan. 14, 2015
Jan. 20, 2015
Jan. 21, 2015
Jan. 22, 2015

Newer entries...

Previous Page...

Dec. 27, 2014

item.203381

MacInTouch Reader

Update:
MacPorts solved the ntp problem for me on 10.6.8. For those that dont yet have it, installers for Snow Leopard and other older OSX versions are here:

https://www.macports.org/install.php

After disabling the automatic time update in system preferences, I ran this in a Terminal window:

sudo port install ntp

MacPorts reports its progress, the last lines being:

---> Installing ntp @4.2.8_0
---> Activating ntp @4.2.8_0
---> Cleaning ntp
---> Updating database of binaries
---> Scanning binaries for linking errors
---> No broken files found.

After reactivation of the time update system preference, the following terminal command verifies the ntp version:

sudo ntpq -cv

In my case the resulting output was:

ntpq 4.2.8@1.3265-o Sun Dec 21 05:01:35 UTC 2014 (1)

This was easier than trying to build ntp myself, though it still requires Xcode.

item.203371

John Baltutis

Re:

For those of you (and me) still running SL and/or Lion, among others, and who feel left out by Apple, follow the steps in the second answer at:

Disabling NTP on OS X Lion or older

and manually install the update - a simple procedure that works and one Apple should have provided to its users, since they don't want to admit that there are people out there using their older but useful OSs (bah, humbug).

Thanks to John for pointing us Snow Leopard users to this link.

However, although I have the required Xcode version installed, the configuration script complains that:

configure: error: C compiler cannot create executables

I have tried to troubleshoot the script, but my shell abilities are limited, and I'm afraid of causing some inadvertent damage.

Has anyone else seen this issue, or have a suggestion?

Thanks to this excellent community.

Try the tip at

How to manually patch NTP for OS X 10.6 and 10.7

BTW, I didn't have any compiler error. Do ensure you're running Xcode 3.2.6.

item.203383

Robert J

I'm not a Terminal freak, and I have never used Xcode in 25 years of computing... but you don't need to actively use it in this case, it just has to be installed. I followed carefully all the instructions posted by Topher Kessler on MacIssues

How to manually patch NTP for OS X 10.6 and 10.7

and the patching worked like a charm on my 10.6.8 machines.

item.203394

Gordon Doughman

Re:

Change your Apple ID
Learn how to change the email address that you use as your Apple ID.

The real problem with changing an Apple ID is the fact that, as described in the Apple support document, an Apple ID created long before iCloud.com, me.com or Mac.com existed, cannot be changed to an iCloud.com e-mail address.

This is a stupid restriction in Apple's system that effectively will not allow two Apple ID accounts to be merged, i.e. one based on an Apple domain and one based on a non-Apple domain e-mail address. This has been a problem that has existed for a good number of years with lots of discussion and complaints on the Apple discussion boards but has apparently fallen on deaf ears at Apple.

I have had a non-Apple domain e-mail address provided by my ISP for over 15 years. I would now like to obtain an ISP independent e-mail address, so I can get the best deal on internet service. When I drop my current ISP, my Apple ID e-mail address will go away. To make life easy, I'd like to have my Apple ID changed to an iCloud e-mail address. I don't want to have to maintain a 'free' non-Apple domain e-mail address, for my Apple ID.

I just can't understand why Apple won't allow two accounts to be merged. There can't be any technical reasons, just Apple's lack of desire/resolve to make things easy for their customers, even if it might be a difficult problem for them to solve. I thought that was supposed to be one of Apple's hallmarks. Make sophisticated technology simple to use. I believe Apple is losing their way.

item.203402

Matt Neuburg

On two Mavericks machines, I have seen no NTPD notification, nor is any NTPD update listed in Software Updates in the App Store app. I was able to obtain the update at Apple's Downloads site, but if it weren't for the discussion here, I wouldn't even have known about it.

item.203409

Peter Neame

Fixing the NTP issue on Snow Leopard (10.6.8):

I used the fantastic instructions by klanomath here:

How to install the 2014 NTP security fix on 10.6.8 Snow Leopard

after several dismal attempts at trying to fix it myself.

Dec. 28, 2014

item.203410

Davide Guarisco

[I'm] also on Mavericks. NTP update did not happen without asking, but did show up as available update. Installed fine.

item.203414

David Blanchard

"...MacPorts solved the ntp problem for me on 10.6.8..."

Years ago, while running 10.4 Tiger, I installed Fink and still have many of those programs, libraries, etc., located in /sw/* on my Snow Leopard machine.

Will installing MacPorts cause any conflicts with Fink?

item.203447

Wire

Re. using MacPorts to update ntp:

Be aware that adding / updating software with Macports is not equivilent to a proper OS security update. Just because the shell finds a patched version of some tool on its path doesn't imply there is no unpatched version still around.

Study up on Unix!

Macports is about bringing support for Posix / Linux commands to the party, alongside Apple's software, which is far from the same as updating the OS. Just because you have an updated / patched version of ntp somewhere on the system (typically in /opt/local/...) doesn't imply that a vulnerable Apple version no longer exists in some framework or package elsewhere.

This gets especially tricky for system services - a.k.a. system processes that are instigated via custom launchagents / launchdaemons, or via other non-standard launch mechanisms.

With Macports you are generally expanding the scope of risk, not reducing risk, because security issues auto-patched by Apple may remain vulnerable in Macports-installed versions and vise versa. You have to keep up on both.

item.203444

Skot Nelson

Re:
Change your Apple ID
Learn how to change the email address that you use as your Apple ID.

The real problem with changing an Apple ID is the fact that, as described in the Apple support document, an Apple ID created long before iCloud.com, me.com or Mac.com existed, cannot be changed to an iCloud.com e-mail address.

This is a stupid restriction in Apple's system that effectively will not allow two Apple ID accounts to be merged, i.e. one based on an Apple domain and one based on a non-Apple domain e-mail address. This has been a problem that has existed for a good number of years with lots of discussion and complaints on the Apple discussion boards but has apparently fallen on deaf ears at Apple.

I have had a non-Apple domain e-mail address provided by my ISP for over 15 years. I would now like to obtain an ISP independent e-mail address, so I can get the best deal on internet service. When I drop my current ISP, my Apple ID e-mail address will go away. To make life easy, I'd like to have my Apple ID changed to an iCloud e-mail address. I don't want to have to maintain a 'free' non-Apple domain e-mail address, for my Apple ID.

I just can't understand why Apple won't allow two accounts to be merged. There can't be any technical reasons, just Apple's lack of desire/resolve to make things easy for their customers, even if it might be a difficult problem for them to solve. I thought that was supposed to be one of Apple's hallmarks. Make sophisticated technology simple to use. I believe Apple is losing their way.

The engineering resources required to make it happen may exceed the value or the number or requests they have to do this. You may consider this a "lack of...resolve" but it's actually practical project management.

Merging information is actually very much harder than most people think it is. Any merge of data has to resolve every conflict, which means:
1) Detect difference
2) Determine which data to keep
3) Dump the old data or stash it somewhere?

Small, seemingly trivial differences between data can be very difficult for computers to resolve.

Yes, it means I'll be paying for my penguinstorm.com domain for the rest of my life -- but I was planning on that anyway, which is why I used it to create an Apple ID instead of some random email provider which might disappear.

item.203460

MacInTouch Reader

Skot Nelson writes,

"The engineering resources required to make it happen may exceed the value or the number or requests they have to do this. You may consider this a "lack of...resolve" but it's actually practical project management.
Merging information is actually very much harder than most people think it is. Any merge of data has to resolve every conflict..."

Merging two AppleIDs is trivial. Anything purchased in either of the two AppleIDs is marked as a purchase in the new merged ID. Done.

Dec. 29, 2014

item.203464

David Blanchard

TenFourFox Development posted an interesting article about ntp and ntpd. They suggest turning off the daemon (ntpd) and running just ntp (manually or via cron) to get the time. Their analysis suggests that the security problems are in ntpd rather than ntp.

Any experts here that can provide additional information on this?

Time, time, time, see what's become of ntpd

This might be a solution for Snow Leopard and Lion users.

item.203470

MacInTouch Reader

Is there a way to tell if an old Apple ID on a defunct email address is lurking somewhere within Apple?

I know I registered Macs back in the 90s on an address that I shut down circa 2000. I went to an Apple page that supposedly checked emails to see if they had been used as Apple IDs, and entered three -- my current Apple ID on a personal domain, another address on the ISP that manages my domain, and the defunct address. All I got was one response offering to reset my password.

item.203484

a MacInTouch Reader

Another MacInTouch reader asserted that

"Merging two AppleIDs is trivial. Anything purchased in either of the two AppleIDs is marked as a purchase in the new merged ID. Done."

Maybe. Maybe not. Even if it is technically "trivial" to do, as the reader proposed (and that is a huge "if"), there are many layers of complexity in systems like AppleID, iTunes, the Apple Store, etc. that may interact in wholly unexpected and potentially disastrous ways. Sometimes it's due to poor design, but more often it's due to an architectural decision that was perfectly reasonable when the decision was made, but is difficult to adapt to unforeseen requirements. (Did Apple really anticipate that iTunes, a music player it acquired from a third party, would become, at least for a time, the hub of Apple's online e-commerce and identity management systems?)

Supposedly, even Tim Cook wanted to see Apple support the merging of Apple IDs several years ago. The fact that it has not happened suggests that it is not an easy technical fix.

Over the years, I've become very familiar with feature requests that seem obvious and trivial to end users but are devilishly hard for software developers to implement, and I've seen the opposite, where end users fail to ask for an improvement that they assume must be impossible to build, but is actually very straightforward from an engineering standpoint.

My bet here is that the most "trivial" technical approaches to merging Apple IDs will either introduce unacceptable performance penalties (I saw exactly that happen with a much smaller company's ID consolidation project) or that integration of Apple IDs with another Apple service will fail catastrophically using any of the "easy" fixes. I've seen that happen, too.

I stopped saying "It's trivial!" years ago. Those words are the software development equivalent of, "Here! Hold my beer!"

Dec. 30, 2014

item.203508

James Cutler

David Blanchard wrote,

TenFourFox Development posted an interesting article about ntp and ntpd. They suggest turning off the daemon (ntpd) and running just ntp (manually or via cron) to get the time. ...

But there is no "ntp" program to run. The two shipped clients for ntp are ntpd and ntpdate. ntpdate queries a requested server and sets the system clock in a one-shot operation. ntpd runs continuously and can query a set of other ntp servers, performing wondrous calculations to weed out false-tickers and come up with a pretty reliable value for time.

item.203547

David Blanchard

James Cutler is correct when he says:

"...But there is no "ntp" program to run. The two shipped clients for ntp are ntpd and ntpdate..."

That was a typo/error on my part and not that of the original blog I referenced.

item.203509

Scott Bayes

David Blanchard writes:

TenFourFox Development posted an interesting article about ntp and ntpd. They suggest turning off the daemon (ntpd) and running just ntp (manually or via cron) to get the time. Their analysis suggests that the security problems are in ntpd rather than ntp.

...

This might be a solution for Snow Leopard and Lion users.

I've found (using ps ax | grep ntp in Terminal), that firing up System Preferences > Date & Time, and check-marking, then clearing "Set time and date automatically" in the first tab, reliably starts and stops ntpd, while synching accurately in Snow Leopard. Very simple, and the window of opportunity for bad stuff to happen is very short, since the sync generally takes only a second or two (I watch the seconds field of the clock in the menubar to see this change).

I've set a weekly reminder to do this, since a few seconds of error is not a problem on my MacBook1,1 running Snow Leopard.

item.203511

Wire

Over at xlr8yourmac there's a link to apple forums writeup on properly patching NTP for 10.6.8. I have not used nor carefully reviewed this process, but my cursory take is that it's at least generally correct.

Re: Snow Leopard users: Turn off automatic date and time in System Preferences immediately

Per my previous comment on macports, in the above writeup you will see that software in /usr/bin and /usr/sbin is being updated, whereas macports software is kept in /opt/local. Directories in /usr/... are traditional Unix (BSD/Darwin) directories for system programs.

This writeup describes compiling an NTP daemon from source and placing so that OSX config uses it. Why you should trust the mentioned source code and why it is the proper version is an exercise for the diligent OSX 10.6 maintainer.

You should also consider additional maintenance challenges: if you do an OSX repair installation, you had better have kept notes on all such changes you made, because you are going to have to reapply them. Hopefully you also kept the proper revision tarballs somewhere where you can find them again 'cause that one link mentioned in the writeup won't still be around next year. Also, don't forget to understand the dependencies between this particular change and any maintenance changes you may have made, and the ordering of those changes!

Happy maintaining the best Mac OS X that was ever made!

item.203543

MacInTouch Reader

Here's a quick and easy way to patch NTP on older Macs:

https://github.com/MacMiniVault/NTPUpdateSnowLeopard/releases

item.203496

Joe F

"Merging two AppleIDs is trivial. Anything purchased in either of the two AppleIDs is marked as a purchase in the new merged ID. Done."

That might be straightforward (but see other people's responses about the hidden pitfalls of merging data) if the only thing controlled by an Apple ID was purchases. But it's not. Contacts, calenders, keychains, bookmarks, etc. were also sync'd at one point or another in the various incarnations of Apple's syncing efforts over the years. Some things (ie, Keychains) went away for awhile and then came back as syncable items.

Even without the complexity of merging different accounts, how many stories have we read about people ending up with duplicate contacts in the Address Book when Apple upgraded their back-end systems?

If all you are really concerned about is purchases, then you shouldn't be asking Apple for the ability to merge accounts. What you should be asking for is the ability to transfer purchases. But don't hold your breath for that one either. It would probably be a much easier technical problem to solve, but would be counter to the current business models of making it difficult/impossible to lend, give, sell, or bequeath content. Much more profitable to make everyone purchase their own copies.

item.203497

MacInTouch Reader

"Supposedly, even Tim Cook wanted to see Apple support the merging of Apple IDs several years ago. The fact that it has not happened suggests that it is not an easy technical fix."

Or that it's not a high priority.

The only hard part is verifying that the same person owns both IDs. The actual merge is easy.

There is a potential for fraud if Apple IDs from two different people can be merged.

item.203499

Steven MacDonald

"I know I registered Macs back in the 90s on an address that I shut down circa 2000. I went to an Apple page that supposedly checked emails to see if they had been used as Apple IDs"
Apple ID seems to be a merging of different IDs used by Apple for identifying customers.

However, I'm not sure the address one used for registering a Mac in the 90s counts as an 'Apple ID'. I tried searching about the history of Apple ID but couldn't find when it actually started. My guess is that it was around the time of the first iPhone or possibly when the iTunes store opened. Although I used the same address for both I don't think MobileMe ID and Apple ID are the same thing. As for iTunes you can easily have different ID for that and for iCloud on the same device.

If anyone knows or can remember the history, weigh on in.

item.203527

Michael Fryd

A MacInTouch reader suggested that "Merging two Apple IDs is trivial". I am not so sure. My guess is the real challenge is licensing, not technical.

Conceptually, you can merge two AppleIDs by turning off one, and re-issuing all purchased media to the other. In practice you can't turn off the old ID. What you are really doing is issuing additional free copies of the old purchases to the new ID.

Publishers don't like Apple giving away additional copies of their content.

There is no mechanism to actually turn off an old AppleID; if you reissue content to a new AppleID, you have doubled the number of computers authorized to play the content.

I suspect that we won't be able to merge AppleIDs until these licensing issues are resolved.

item.203546

Michael Fryd

AppleIDs have not always been in the form of an email address. My AppleID used to be my name. I finally changed it to an email address when an "upgrade" to my AppleTV had a bug and didn't recognize AppleIDs that were not email addresses.

Apple has not always been clear about when it creates an AppleID. For a while, if you allowed Apple to email you the receipt for a purchase, they would create a corresponding AppleID and register the computer to that ID.

Before I knew this, I was inconsistent in what email address I used for the receipt. I now have a bunch of AppleIDs to track.

One problem is that an AppleID is a unique identifier that can be used for many purposes. It can be associated with AppleCare agreements, product registrations, repair records, iTunes store accounts, iCloud accounts, even an Apple iCloud account. Not all AppleIDs have associated iTunes accounts, nor do they all have associated AppleCare agreements.

item.203517

MacInTouch

German minister fingered as hacker 'steals' her thumbprint from a photo

In a presentation at the annual Chaos Computer Club hacker gathering in Hamburg, Germany, biometrics specialist Jan Krisller - known in the community as "Starbug" - explained how he'd taken a variety of photographs of Ursula von der Leyen when she gave a press briefing in October.

Krisller used a lens with a focal length of 200mm and shot the snaps from six feet away, he said. He then used commercial fingerprint software from Verifinger to map out the contours of the Minister's thumbprint.

To get that into something that could be used on a biometric scanner, Krisller employed the same technique he demonstrated at the conference last year, where he successfully defeated Apple's TouchID fingerprint lock.

Jan. 1, 2015

item.203562

MacInTouch Reader

Michael Fryd writes,

"Conceptually, you can merge two AppleIDs by turning off one, and re-issuing all purchased media to the other. In practice you can't turn off the old ID. What you are really doing is issuing additional free copies of the old purchases to the new ID."

The old ID can be removed entirely after merging, so there is only one licensed copy in existence.

item.203564

MacInTouch Reader

Joe F writes,

"That might be straightforward (but see other people's responses about the hidden pitfalls of merging data) if the only thing controlled by an Apple ID was purchases. But it's not. Contacts, calenders, keychains, bookmarks, etc. were also sync'd at one point or another in the various incarnations of Apple's syncing efforts over the years. Some things (ie, Keychains) went away for awhile and then came back as syncable items."

Purchases is why people want to merge Apple IDs because they don't want to buy everything all over again in another Apple ID.

Everything else can be merged by the user at any time. It might be a little bit of work in some cases, but it's not impossible for the user to do.

The purchases can only be merged by Apple, and the vast majority of those requesting merging would be happy with just that.

item.203575

MacInTouch Reader

Will the Snow Leopard patch for NTP work with Lion?

item.203585

Mike Spangler

Re:

Here's a quick and easy way to patch NTP on older Macs:

https://github.com/MacMiniVault/NTPUpdateSnowLeopard/releases

Alas, that only works on 64-bit Macs, and not on Core (not 2) processors.

There is another version around as well, but it has the same issue, but does not check the CPU type before installation. Oops. I guess my stereo cabinet Mini is very safe now.

Jan. 2, 2015

item.203615

C. Alexander Cohen

Re:

Here's a quick and easy way to patch NTP on older Macs:

https://github.com/MacMiniVault/NTPUpdateSnowLeopard/releases

Alas, that only works on 64-bit Macs, and not on Core (not 2) processors.

There is another version around as well, but it has the same issue, but does not check the CPU type before installation. Oops. I guess my stereo cabinet Mini is very safe now.

Just ran the NTP updater on a Snow Leopard-running Core 2 Duo iMac. According to Terminal (using ntpd --version), it worked.

item.203607

Michael Fryd

A MacInTouch reader suggested that merging Apple IDs does not create a licensing duplication issue because the old Apple ID can be deleted.

The issue is that Apple has no way of disabling existing content issued to the old AppleID. Yes, Apple can refrain from allowing that AppleID to download or stream content. Apple can refrain from authorizing new computers for that AppleID, but any already downloaded content will continue to work.

Perhaps a more significant issue is that merging AppleIDs has the potential for abuse.

From a licensing perspective, allowing AppleIDs to be merged vastly increases the terms of the license. Right now, my license to the content is limited to my lifetime. If AppleIDs can be merged, then we have effectively extended the license past my lifetime.

Instead of my content license expiring when I do, my son can merge my AppleID into his, effectively extending the licensing period to his lifetime. His son can do the same thing, continuing the license forever.

If you can't merge an AppleID, then my purchases disappear when I do.

It would be very difficult for Apple to tell the difference between a legitimate request to merge AppleIDs belonging to a single person, from an attempt to merge AppleIDs of distinct family members.

As I said before, I really think licensing issues prevent Apple from merging AppleIDs.

item.203626

Colleen Thompson

Instead of my content license expiring when I do, my son can merge my AppleID into his, effectively extending the licensing period to his lifetime. His son can do the same thing, continuing the license forever. If you can't merge an AppleID, then my purchases disappear when I do.

How would Apple know when you die? What if your family member knows your logon information? They could keep using your account long past your demise.

Jan. 5, 2015

item.203613

MacInTouch

New password-hacking tool for iCloud claims to evade Apple's brute-force protections

item.203660

Michael Fryd

Colleen Thompson pointed out that after I die, a family member can continue to use my AppleID without Apple's knowledge.

This may be true. But separate IDs add roadblocks to the process. Apple limits devices to be logged into only one AppleID at a time. Apple has the option of limiting how often you can switch which AppleID you are logged into.

The concern here is not that it is possible to bypass the intent of the licensing agreement, but how easy/hard it is.

If you make something harder, fewer people will do it. If you make it easy, more people will do it. The licensing concerns are about finding the right balance, and allowing AppleIDs to be merged changes the balance.

Of course, the above is assuming existing laws and practices. Online purchasing accounts are becoming as important as bank accounts. Online accounts can be a valuable asset. I expect laws will soon change to reflect this new reality. When someone dies, the account issuer will be notified. I think in the near future, Apple will know when the owner of an AppleID passes away.

item.203724

Dez Chesterfield

My Apple ID was originally created on 5th January 2000, the same day that Apple announced their iTools service, the precursor to MobileMe / iCloud.

I also have another Apple ID for development, although I can't remember whether or not I created that before iTools.

item.203746

MacInTouch Reader

Michael Fryd writes,

Colleen Thompson pointed out that after I die, a family member can continue to use my AppleID without Apple's knowledge. This may be true. But separate IDs add roadblocks to the process. Apple limits devices to be logged into only one AppleID at a time. Apple has the option of limiting how often you can switch which AppleID you are logged into.

It's easy to have apps from multiple Apple IDs installed and running at the same time.

Authentication is only required for updating them (or buying new ones).

Jan. 8, 2015

item.203957

MacInTouch

... Apple kills brute force iCloud cracker

iDict was purportedly created to force Cupertino into belatedly fixing a wide open security flaw most believed it had fixed in the wake of the iCloud celebrity hack last year.

The iDict tool had enabled dictionary attacks against Apple's iCloud user base. But Cupertino soon applied controls that blunted attacks based on the tool by locking up targeted accounts after a large number of failed login attempts.

The utility, which was published on Github on New Year's Day, was thwarted by better security controls by Apple applied on 2 January, as the developer of the neutered brute force hacking tool acknowledged. ... "This bug is painfully obvious and was only a matter of time before it was privately used for malicious or nefarious activities," pr0x13 explained, adding: "I publicly disclosed it so Apple will patch it."

item.204001

MacInTouch Reader

The first Mac bootkit vulnerability, dubbed Thunderstrike, has been described -- but just as a proof of concept, not yet in the wild. It would infect your Mac as soon as any infected Thunderbolt device were plugged in. An infection of this type is so low-level that it's almost impossible to detect, and can probably only be fixed by ripping out the ROM chips.

item.204022

MacInTouch

Thunderstrike shocks OS X with firmware bootkit

The Thunderstruck attack uses 35 year-old legacy option ROMs to replace the RSA keys in a Mac's extensible firmware interface (EFI) to allow malicious firmware to be installed and lock out attempts to remove it.

It works against all Macbooks released since Thunderbolt's 2011 introduction, Hudson said, noting that he successfully tested seven machines.

"When we boot the machine the Thunderstrike exploit runs in the recovery mode boot replacing firmware and Apple's update routine flashes its RSA key onto the motherboard - and once that is done, we own the system and we can flash whatever we want using Apple's own update tools," Hudson told an applauding audience at the Chaos Communications Congress.

"Because we replaced the key this bootkit can't be removed through software alone because we control the key the firmware is going to use.

Jan. 9, 2015

item.204129

MacInTouch

Thunderstrike - new Mac "ueberrootkit" could own your Apple forever

Hudson's research revealed a loophole in the bootstrap process.

So that Apple can ship Boot ROM firmware updates, it is possible to reboot a Mac while leaving the Boot ROM in read-write mode.

But this sort of bootstrap is a special one during which all you are supposed to be able to do is write a new firmware image into the ROM and reboot.

The current ROM includes a public key to check the digital signature of the new ROM image first; so, in theory, an Apple ROM can rewrite itself with a digitally-signed Apple ROM, and that's that.

But, as Hudson discovered, Thunderbolt Option ROMs run even in "Boot ROM firmware update" mode, despite the fact that they are totally unnecessary under those circumstances.

Worse still, the code in an Option ROM can modify the contents of the firmware update after its digital signature has been verified, but before it gets written to the Boot ROM.

Oops!

Jan. 10, 2015

item.204151

Colleen Thompson

Spotlight search in OS X Yosemite exposes private user details to spammers

Like Mozilla Thunderbird, Microsoft Outlook, and many other e-mail clients, Mail allows users to block remote images for precisely this reason [to block web beacons]. But even when remote image viewing is disabled in Yosemite-based Mail app settings, the images will be opened by Spotlight, according to two recent media reports. The feature is used to search a Mac for files or e-mail containing a specified search term. When spotlight returns a preview of e-mails containing the term, it loads the images, overriding the option. Images are loaded even when the previewed message has landed in a users' junk mail folder.

item.204189

MacInTouch Reader

Spotlight search in OS X Yosemite exposes private user details to spammers

Using the Spotlight search feature in OS X Yosemite can leak IP addresses and private details to spammers and other e-mail-based scammers, according to tests independently performed by two news outlets.

The potential privacy glitch affects people who have configured the Mac Mail App to turn off the "load remote content in messages" setting, as security experts have long advised. Spammers, stalkers, and online marketers often use remote images as a homing beacon to surreptitiously track people opening e-mail. Because the images are hosted on sites hosted by the e-mail sender, the sender can log the IP address that viewed the message, as well as the times and how often the message was viewed, and the specific e-mail addresses that received the message. Many users prefer to keep their e-mail addresses, IP addresses, and viewing habits private, a goal that's undermined by the viewing of remote images.

...

item.204199

MacInTouch

OS X search tool Spotlight runs roughshod over Mail privacy settings

The programming booboo means pictures and possibly other files linked to in HTML emails will automatically show up even if you've told Apple's supplied client to not load remote content.

This means tiny, transparent images hidden in messages by spammers and message-tracking software will be fetched, confirming that your email address is working and you're able to pick up e-missives. It will also, via the HTTP User-Agent string sent by OS X to the server hosting the image, reveal your public IP address, which is not good news if the purpose of the hidden picture is to help track you down.

Jan. 14, 2015

item.204207

Mike Rose

I have disabled Spotlight for 4 months now and have noticed an improved response time. I also have found that EasyFind, a free app (not related to me), is very good and extremely fast at finding things I need to look for. In fact, IMHO, it is miles better than Spotlight for finding obscure items.

The improvement in response time was the reason for original shutdown, and now it appears it was a wise move in retrospect.

item.204242

MacInTouch

Anatomy of a privacy leak - Apple OS X search engine in the Spotlight

This can't really be considered a catastrophic vulnerability.

But it is a privacy problem, and Apple needs to fix it.

Here are two possible directions that Cupertino could take:

  • Make QuickLook and other low-level data processing components retrieve the security and privacy settings of all installed applications that are associated with the content it is previewing. Honour the strictest settings found.
  • Move important security and privacy settings into System Preferences. Where individual applications or system components wish to override these defaults, allow stricter settings only.

In the meantime

If you are willing to forgo searching inside your mail and messages, you can tell Spotlight not to include them in its results:

If Mail and Messages is turned off, then Spotlight won't display any matches from your mail files, so QuickLook will never be called upon to produce an email preview window, and unexpected web-beacon tracking won't happen.

You won't be able to search through your emails, though, until Apple makes it safe to turn Mail and Messages back on.

item.204251

Steven Wicinski

Two things on the Spotlight search bug:

1. It doesn't sound like a problem with Spotlight, but more of the viewing portion. Isn't that a QuickLook problem?

2. How is it that no one running Little Snitch noticed this? Via what conduit is it loading the images, as I would think someone would have mentioned Spotlight or QuickLook or something mysteriously connecting to the Internet? Not being accusatory, just wondering.

item.204083

Matt Snider

Thunderstrike shocks OS X with firmware bootkit
The Thunderstruck attack uses 35 year-old legacy option ROMs to replace the RSA keys in a Mac's extensible firmware interface (EFI) to allow malicious firmware to be installed and lock out attempts to remove it.

It works against all Macbooks released since Thunderbolt's 2011 introduction, Hudson said, noting that he successfully tested seven machines.

"When we boot the machine the Thunderstrike exploit runs in the recovery mode boot replacing firmware and Apple's update routine flashes its RSA key onto the motherboard - and once that is done, we own the system and we can flash whatever we want using Apple's own update tools," Hudson told an applauding audience at the Chaos Communications Congress.

"Because we replaced the key this bootkit can't be removed through software alone because we control the key the firmware is going to use.

It just goes to show, build a better mouse trap and the mice just get smarter. This is really scary, because if it gets into your system, it's as good as a paperweight. I'm going back to a tin can and a long piece of string.

Jan. 20, 2015

item.204364

David Charlap

Matt Snider wrote, regarding Thunderstrike:

"It just goes to show, build a better mouse trap and the mice just get smarter. This is really scary, because if it gets into your system, it's as good as a paperweight. I'm going back to a tin can and a long piece of string."

The entire Thunderstrike presentation is long and technical, but a good read.

Although this is a serious security issue, it's worth noting that (at least at this time), in order to install this malware, you must either attach a compromised Thunderbolt device or the attacker must physically open the computer (to directly access the ROMs.)

For most of us, I think we can be reasonably safe as long as we don't allow anyone to attach a Thunderbolt device that we personally didn't purchase or leave the computer unattended in a location where untrusted people might have access.

If, however, you believe there is a serious chance that somebody (government agency, hacker, whatever) might tamper with your purchases in-transit, or have someone in the TSA tamper with your computer, then you really have no choice but to lock-down your firmware as described in the article.

It is encouraging to see that Apple is (now) aware of this problem and that the most recent Macs have a bit more firmware security, but they clearly need more.

Putting the TPM chip back and making it validate the motherboard firmware before the boot process starts seems like a critical first step. Disabling option ROMs on expansion devices (PCIe, TB, whatever) is also important.

I think it may be necessary to support option ROMs for some devices, but I think they should be enabled on a device-by-device basis and never be allowed for all devices. Furthermore, they should only be enabled by explicit operator configuration, and after doing so, the option ROM's signature must be stored in the TPM so subsequent tampering can be detected.

I think another useful step would be to no longer allow automatic firmware updates. In the past (e.g. on PowerPC-based Mac Minis), you would need to explicitly unlock the ROMs (in the case of a PowerPC Mini, by holding the power button for 10 seconds during the power-on sequence) in order for any update to go through. This wouldn't stop someone with physical access to your computer, but it would prevent a random Thunderbolt device from being able to rewrite the firmware by merely triggering a reboot. It would make updates pushed from Apple a bit more inconvenient to install, but I'm willing to put up with it for those rare occasions when firmware is updated.

item.204411

J Land

Mike Rose said:

I have disabled Spotlight for 4 months now and have noticed an improved response time. I also have found that EasyFind, a free app (not related to me), is very good and extremely fast at finding things I need to look for. In fact, IMHO, it is miles better than Spotlight for finding obscure items.

Same experience here. Spotlight has always been half baked for me. The way it finds too much and too little at the same time, with only a few fairly useless limiting parameters, and then presents them to you in such a mediocre manner is useful for some searches but not most, IMHO. EasyFind is great and a perfect way to quickly grab pesky app plists and other problem files that Spotlight insists don't exist, and sort by all of the usual options much easier than with Spotlight.

No connection to it either. I'm used to rarely using Spotlight but now I'll go so far as to turn it off. Any Apple apps that occasionally rely on it I'll be satisfied to deal with.

[While I like EasyFind, also, I've been using Thomas Templeman's very fast Find Any File instead. -Ric Ford]

item.204425

Bo Clawson

Mike Rose noted disabling Spotlight to speed up his machine.

Great move!

People use their Macs differently. Set the Spotlight search choices to get what you want to find and not all the rest of the garbage in the world, if you are only going to search files in your home folder.

I personally only use Spotlight to search my Documents folder. It makes the results very easy to scan through -otherwise the list of results is monstrous.

item.204486

MacInTouch

Apple wants your fingerprints in the cloud

Apple wants to collect and store your fingerprints to spread its payment service and simplify download authorisation. Cupertino aspires to upgrade its TouchID with the capability to collect, encrypt and upload fingerprints to Apple servers so that users can verify their identities with a single print matched to those stored online.
Jan. 21, 2015

item.204744

Hanno Wirth

Google has published a severe and currently unpatched security issue with the networkd in MacOS 10.9.5 (Mavericks) including an exploit:

OS X networkd "effective_audit_token" XPC type confusion sandbox escape (with exploit)

networkd is the system daemon which implements the com.apple.networkd XPC service. It's unsandboxed but runs as its own user. com.apple.networkd is reachable from many sandboxes including the Safari WebProcess and ntpd (plus all those which allow system-network.)

...

Attached PoC exploits this bug to run a shell command as networkd....

The reason for the publication is that Apple has failed to produce a fix within the 90 day period for disclosure set by Google.

item.204743

Bo Clawson

How is it that a Safari URL entry that starts with the first character of a password I use (non-alpha for only one purpose) shows my password in the Google Search list that follows in the auto-pop down suggested list???

I have never searched for that password on Safari or Google, so how has Google sniffed my (now changed) password?

Could Google [or] Safari be compromised to somehow be a keystroke sniffer? With Safari always loaded, each time you enter a password, could Google be looking over your shoulder? Looking only to find out what product you might buy, right?

This has horrible implications....

Any comments, reasons, possibilities for this out there in MacInTouch land?

item.204747

Stephen Hart

Bo Clawson wrote:

How is it that a Safari URL entry that starts with the first character of a password I use (non-alpha for only one purpose) shows my password in the Google Search list that follows in the auto-pop down suggested list???

I tried starting several of my passwords in the Location field and none autocompleted or were shown in the list of possiblities. I did, amusingly, get a Google hit for what looked like a password that had the first three characters of one of mine.

item.204742

Nate Goldshlag

Edward Snowden says secret Apple spyware is the reason he won't use an iPhone:

"Edward never uses an iPhone; he's got a simple phone,"Kucherena said. "The iPhone has special software that can activate itself without the owner having to press a button and gather information about him; that's why on security grounds he refused to have this phone."

Does Snowden know something we don't? The notorious whistleblower certainly has access to plenty of spy agency documents, and recently published files he stole from the NSA revealed that British agency GCHQ indeed uses Apple's iPhone UDID system to track users.

item.204707

MacInTouch Reader

David Charlap, talking about Thunderstrike, said:

"If... [serious tampering concerns]... then you really have no choice but to lock-down your firmware as described in the article."

I haven't read the "long, technical" article, and I'm switching gears here, but the reference to locking firmware (which I didn't know was even possible) made me wonder about something else:

If a Snow Leopard fan would like to experimentally install Yosemite on an alternative boot volume, but is concerned about Yosemite changing the Mac's firmware in a way that would be awkward for future Snow Leopard use... is it possible to avoid this by locking the Mac's firmware first, and then install and run Yosemite without letting it screw around with the firmware?

item.204381

Ed Sikorski

Re. Mike Rose and Easy Find:
Put me down for more kudos to Easy Find.

CCC (Bombich) told me that an issue I was having with my SSD - having link issues with my other 1TB internal HDD crossing apps (from clone) - was that I needed to remove the 1TB (clone/backup) drive from Spotlight. Once I did that, I haven't see the issue.

Do I need to search the 1TB clone? No. But I am turning off Spotlight forever... EasyFind is free too.

item.204720

George

Re. J Land, Mike Rose, Ric Ford and Item 204411...

Mike Rose said:

"I have disabled Spotlight for 4 months now - improved response time -EasyFind, a free app - extremely fast at finding things - (especially) obscure items.

J Land:

"Same experience here. Spotlight - finds too much and too little at the same time, with only a few fairly useless limiting parameters -"

Ric Ford:

"While I like EasyFind, I've been using Thomas Templeman's very fast Find Any File instead."

Easy Find is a free GUI search app from Devon, part of a set of interesting, useful, and free utilities offered as "Needful Things." A deeper geek than I am looked into Easy Find at my request and reported (as one would expect) it is a GUI interface to "Unix" commands that could be accessed in Terminal. He did confirm Easy Find isn't, as Spotlight in Yosemite now does, sending data off your local system.

I just tried "Find Any File" by searching our work Synology NAS. It did a fine job of finding files. Lots and lots of files. (I had specified a search string that began with 13-14 which in our work case is a "fiscal year" naming convention used a lot.

The report output (on very brief trial) didn't seem as useful as Easy Find's. And Thomas Templeman himself notes "Find Any" won't look into files. In that respect, "Easy Find" is a potential subtitute for Spotlight in a way that "Find Any" isn't. I'm keeping "Find Any" onboard to try more, and plan on sending the requested small donation to support its developer.

I'm still running Mavericks. As I've often commented, the very idea that Spotlight in Yosemite could send confidential inforamation (I often look for files on my computers I could be fired or disbarred as a lawyer from leaking onto the Internet) is unacceptable. That's why I needed to verify that "Easy Find" isn't phoning my searches home, or anywhere.

A couple of days ago I was looking for some obscure data I knew was on my computer (or, possibly, the network Synology). One way I decided to search it out was with a taxpayer ID number. In Yosemite, that number would have been passed by Spotlight to Apple and possibly from Apple to Bing.

On Mavericks, it's my understanding that does not happen. Still, Spotlight did not find the number.

But Easy Find did, up in a VT-100 folder in /Library, filled with Spotlight indexes of PDFs generated with Acrobat Pro. A good reason, I guess, to reinstall FileVault 2, except it seemed to greatly slow down my older MacBook Pro. Instead, I'm thinking of turning Spotlight off completely, and trying to securely delete those plain text files of its search results hiding up in the Library - if I can figure out exactly how.

item.204726

Jeff Blume

While I like EasyFind, also, I've been using Thomas Templeman's very fast Find Any File instead.

I like "Find Any File", too, for its excellent (and for folks with pre-OS X experience, familiar) interface. However, "EasyFind" will search files by content, while "Find Any File" will not. So, they both get a lot of use here.

item.204711

Jeff Schaffer

Mike Rose has disabled Spotlight to improve performance. In the past I had an issue with the Mail app being unable to search until the Spotlight indexes were complete. Doesn't disabling Spotlight also disable search in Mail (and perhaps other apps)?

item.204699

Stephen Hart

J Land wrote:

"Spotlight has always been half baked for me. The way it finds too much and too little at the same time, with only a few fairly useless limiting parameters..."

A few parameters?
I can fill my 27" monitor top to bottom three times over with the list of parameters Spotlight allows in a Finder search. And I can combine them however I want.

"EasyFind is great and a perfect way to quickly grab pesky app plists and other problem files that Spotlight insists don't exist.."

Again, look at the list of parameters. You can get Spotlight to find any file on your Mac, including invisible and system files. Spotlight does depend on an index, so it doesn't show anything not indexed.

Jan. 22, 2015

item.204794

MacInTouch Reader

Regarding the networkd exploit that Google reported for Mavericks: I just did an EasyFind search, and discovered that networkd exists on my Mavericks boot volume but does not seem to exist on my Snow Leopard boot volume. Just in case anyone else was wondering.

item.204788

David Charlap

I don't remember if the link was already posted, but here's a Thunderstrike FAQ:

https://trmm.net/Thunderstrike_FAQ

which should be very useful to people concerned (or at least interested.)

A super-brief summary is that no, this isn't going to be a serious concern for most people, but it is going to be a concern for some people, especially if you attend hacker conferences (where nothing is safe) or are the kind of person that a government would want to spy on (and therefore can't trust customs agents with your computer.)

item.204787

David Charlap

An anonymous MacInTouch Reader wrote, regarding Thunderstrike and locking-down firmware:

If a Snow Leopard fan would like to experimentally install Yosemite on an alternative boot volume, but is concerned about Yosemite changing the Mac's firmware in a way that would be awkward for future Snow Leopard use... is it possible to avoid this by locking the Mac's firmware first, and then install and run Yosemite without letting it screw around with the firmware?

I don't think so. Based on what I read in the article, he's talking about installing a custom (hacked) version of the Apple firmware that disables certain PCIe capabilities of the Thunderbolt interface. It will prevent a rogue Thunderbolt device from hacking your firmware, but it will also disable some Thunderbolt features that you might use (e.g. a PCIe expansion chassis).

I suppose you could replace the certificate such that Apple's firmware updates would fail validation. You'd then need to re-sign updates with your own certificate in order to install them. You could do that, but you'd better know what you're doing, because a mistake will lead to a bricked Mac.

As for blocking Yosemite's firmware updates, I suppose you could, but you would probably end up preventing Yosemite from installing altogether. Depending on what those firmware updates are, you might find that Yosemite doesn't work reliably or at all. If you plan on going this route, I suggest you experiment on a Mac you don't care about before using it on the computer you actually work with.

item.204764

MacInTouch Reader

Re:

How is it that a Safari URL entry that starts with the first character of a password I use (non-alpha for only one purpose) shows my password in the Google Search list that follows in the auto-pop down suggested list???

I have never searched for that password on Safari or Google, so how has Google sniffed my (now changed) password?

Just tried this using Safari, FireFox, Epic, and Chrome on four Macs ranging from a MacBook Air, an old MacBook, a 5K iMac, and a Mac Pro. None of them offered/showed anything close to my system password, or any other password for that matter. I'd think you've got another problem going on with your system. Maybe a good malware/antivirus scan would be in order?

Luck

item.204751

Bo Clawson

OK, let's examine this possible scenario for password snooping:

1. You sleep your MacBook Pro with all apps running, where Mail and Safari are always left "on." Safari may be the active app most of the time when going to sleep.

2. You open the lid.

3. You hear the ding with your emails obviously coming in before you type your password, so OS X is fully functional... The only thing inactive is screen power, apparently.

4. So what apps are watching you enter your screen lock password other than Apple's password dialog box? Just what and who has access to this if they have bugged your Mac?

5. Can Safari/Google or something connected to it be sniffing your password as you unlock your screen? Could Safari pick up the password just like another potential URL/Google search term?

6. Should we shut down, rather than sleep, given the speed of SSDs in booting? All windows reappear after reboot, so why not? Control Option Command Eject from now on.

item.204768

Joe F

How is it that a Safari URL entry that starts with the first character of a password I use (non-alpha for only one purpose) shows my password in the Google Search list that follows in the auto-pop down suggested list???

Is what you are seeing Google search results or URL auto-complete? Snow Leopard is still my default OS, so I haven't used Yosemite much and don't know the behavior of the latest Safari versions.

Perhaps a simpler, less nefarious explanation is that at some point you accidentally typed your password in the URL field? I've nearly done that several times when I over-zealously tabbed on a web form, or a random click put the cursor in the URL field when I thought it was in a password field. Then I start typing my password before realizing it's being entered in the URL field.

So perhaps Safari is remembering your password not as a password but as a URL you've previously entered?

item.204779

Wire

Re. security and passwords appearing in search boxes...

At risk of being helpfully unhelpful, if you observe Occam's Razor, a good explanation is that whether or not you intended to enter your password into a search box, at some point you inadvertently did.

I've mentioned in other posts that various OS X UI defects -- race conditions in the UI -- can cause input focus to change spontaneously, where you intend to interact with one UI element and another pops in. Add to this effect click fumbling that naturally occurs in a complex, modal UI. Then amplify the UI mayhem with per-application anomalous click / focus input behaviors, and a lot can go wrong.

As a concrete example, consider this "defect" in Google Chrome on Mac when accessing a device control interface:

The web interface for Juniper networking gear has the quirk that if you click and hold in a area, such as to select text within a text region, and you overshoot the cursor and release the click as the cursor happens to be over a UI button (say a button right next to the text area), the click-release is taken as a button click, with corresponding unintended and highly undesirable consequences, such as committing unfinished config, or otherwise controlling the unit.

Consider how a trackpad tap-with-drag-and-drag-lock gesture might amplify such confusion. Add multitouch gestures.

There's no need to go into details about how much this is or isn't about Mac -- everyone has some experience with utterly ambiguous and unintended control of a computer. I find OS X and iOS have plenty of such issues.

Getting back to the post's observation that "he never enters his password into search", the difference between what we intend and what actually happens may be the greatest conundrum of history, and computer tech is magnifying the problem.   :)

item.204761

MacInTouch Reader

On the subject of "Easy Find", I also consider it an "install right away on any Mac" essential. Great utility!

On the subject of Spotlight's general annoying-ness, [Dave Nanian/Shirt Pocket Software] has a very interesting post about Spotlight's liabilities when making back-ups:

Paving the Road to Hell

item.204763

MacInTouch Reader

Stephen Hart wrote:

Spotlight does depend on an index, so it doesn't show anything not indexed.

Many of us here on MacInTouch are mechanics (professionally or not) seeking solutions to problems. That Spotlight doesn't index (or even permit a non-indexed search of) the folders that hold the cause (or solution to) the problem, is the very issue.

And for me, Spotlight's (not readily changeable) default to searching contents (which I need to perform perhaps once a year) rather than file name, causes me to think impure thoughts about Spotlight every time I use it.

item.204765

Kathryn Jenkins

A couple of days ago I was looking for some obscure data I knew was on my computer (or, possibly, the network Synology). One way I decided to search it out was with a taxpayer ID number. In Yosemite, that number would have been passed by Spotlight to Apple and possibly from Apple to Bing.

It is supposed to be possible to disable those transfers of information:

http://www.wired.com/2014/10/how-to-fix-os-x-yosemite-search/

Luckily, Yosemite's search-snooping can be switched off in seconds. In Mac OS X's System Preferences, the functions can be found under "Spotlight" and then "Search Results." From there you need to disable "Spotlight Suggestions," "Bookmarks and History," and "Bing Web Searches." If you use Safari you will then need to disable the same "Spotlight Suggestions" function in the browser (under "Preferences" and then "Search") to avoid having terms you type into its address bar shared with Apple by default too.

Perhaps some savvy MacInTouch reader can verify that doing what is suggested in the Wired article does indeed prevent information from being passed on. It has the possible additional benefit of improving Yosemite's performance: it did on my guinea pig Yosemite drive.

item.204774

Fred Moore

I love EasyFind, too. However, I also use Find Any File because it has a quick and easy facility I haven't found anywhere else: You can specify "Creation/Modification Date is within the last n minutes". This can be a great troubleshooting helper to find exactly which file was created/changed by an action I just performed.

[I love this feature of Find Any File, also, and find it helpful for identifying files downloaded by spam emails. -Ric Ford]

item.204775

MacInTouch Reader

Jeff Schaffer noted:

"...In the past I had an issue with the Mail app being unable to search until the Spotlight indexes were complete. Doesn't disabling Spotlight also disable search in Mail..."

I've disabled Spotlight and cannot search Mail.app. This is with Snow Leopard.

Just one more reason why I rarely use Mail.app and prefer a non-Apple mail solution.

item.204790

Shaun James

There may be a misconception about Spotlight search and how it works in Yosemite.

Spotlight only searches the web if you have the Bing Web Searches checkbox in the Spotlight System preference checked. Spotlight only sends the search to Apple if you have the Spotlight Suggestions checkbox in the Spotlight System preference checked. Otherwise, Spotlight only searches your Mac and, if enabled, your local attached and network storage.

This is from About Spotlight Suggestions & Privacy:

If you do not want your Spotlight search queries and Spotlight Suggestions usage data sent to Apple, you can turn off Spotlight Suggestions. Simply deselect the checkboxes for both Spotlight Suggestions and Bing Web Searches in the Search Results tab in the Spotlight preference pane found within System Preferences on your Mac. If you turn off Spotlight Suggestions and Bing Web Searches, Spotlight will search the contents of only your Mac.

If your search results are too large, you can do either or both of the following to refine them. 1) Change the order of the categories in the Spotlight System Preference Pane so that the thing you search for the most appear at the top of the list. 2) Increase the data you put in your Spotlight query. Searching for "apple" will bring up every Apple webpage in your browser history. If you add "receipt", you've just narrowed it down to your app store and iTunes purchase receipts in your email.

The same practice is true with search engines. The more precise the question, the narrower the answer. The next time you want to search for something on Google, and you know what website it was on, use site:nameofsite followed by your question e.g. site:macintouch.com Yosemite

item.204808

MacInTouch Reader

It's also worth noting that Spotlight also searches your documents in iCloud, and network volumes, which other alternatives may not.

item.204785

James Cutler

Nate Goldshlag asked,

"Does Snowden know something we don't?"

Snowden may not know any more than we already know about Find My iPhone.

Next Page...


MacInTouch Amazon link...

Talk to MacInTouch     Support  •  Find/Go