Silicon Shecky

Infosec Practitioner

Connect

Another bug disclosed

By Leave a Comment

By now we all know about the bug for MacOS that has been so cleverly referred to as #IamRoot on Twitter. So there are some thoughts I had about it.

First and foremost, this did not affect just root. If you actually read a breakdown of the bug like this one, you will see why. It all has to do with whether an account is disabled or not. Disabled accounts do not have  ‘shadowhash’ data. So when you type in root to log in, initially it looks for it, and the programming that does the checks winds up enabling the root account and setting a password, in these cases a password of blank because of mashing the enter key. You could actually type in a password, and it will enable and set the root password to whatever you want it to be. Once that has been set the next time round, it logs you in. Simple right? Think about it though, what other accounts are disabled? Service accounts? What other accounts have system level access. or near to it. All it would take is an account that has sudo rights that is disabled to allow a blackhat to access the system with sudo privileges and thereby root the box. All this from what is considered a good practice, disabling accounts that do not need to be enabled.

Now Apple has a patch out there (seems they knew about the bug before it was disclosed, and we will touch on that shortly), and that is the ultimate fix. I have heard that this bug has been around forever and was a way to get into a locked out Mac as far back as OSX 10.4 but have not been able to confirm that. Is this a case of a “feature” being a bug? It very well could be, and wo8uld bring us into the idea of backdoors. I do not understand how they could change the logic in the OS code to all of a sudden allow this in High Sierra and it not already being in place for prior versions, unless Apple had done a complete redesign of login and disabled accounts. There were ways of mitigating the problem before the patch, the best known being to enable root and give it a password (the patch from Apple undoes this). Another potential way would be to set a low lockout threshold on the the account (basically enable the root account, but have it set to lockout at the first attempt). The issue with the second method is how would that affect the system. Just thinking out loud here. The bigger concern was that everyone focused on root, and not on checking what disabled accounts there are on the system. As I said, this bypass technique could be used for ANY disabled account. Imagine having to enable all of them and set passwords on all of them. Now put that into an enterprise situation. That could amount to a ton of work.

Now let’s look at the fix/disclosure situation. It took Apple less than 24 hours to release an out of band patch for this problem. Seems they had a fix in the latest beta roll up, and just pulled it out of there. That is all good and dandy, but why wait? With how big a problem this was why not be ahead of the game? Again it leads me to go down the backdoor thought on this bug, and that it was a feature. They knew about it, so the disclosure was cool, right? That is debatable. First we do not know if the person who tweeted Apple Support had reported the bug privately. Either way, using twitter to tell a company about the bug is odd, and sets a bad example of responsible bug disclosure. I would think they would go through getting a CVE for the bug before announcing it. At least that would be the responsible way in my mind. Also why not mention in the tweet that you had found this say 30/60/90 days ago and have not heard back, showing that you gave Apple a chance to fix the problem? The fact that there was a patch basically waiting to be pushed out is not the point, and in fact may have been a lucky coincidence.

So there you have it. Apple screwed up. The disclosure seems a bit irresponsible, and now everything is fine as long as you apply the patch. It does scare me that we are seeing more of these “features” that are exploitable being found (look at Microsoft recently). It scares me even more when a company either has an immediate patch available or says that they will not patch said “feature”.

There are 3 tablets, which one I prefer

By Leave a Comment

I have in my possession a Surface, an iPad, and an ASUS T300 Android Tablet. After having spent time with all three, I look at the pluses and minuses of them, from my perspective, which means that there are opinions in here that are just that, opinions.

Tablets are the new big thing. Everyone wants one, and plenty of companies are making them. Some tend to be designed for specific things (Nook, Kindle) while others make what seem like empty promises to me. I started out with a Nook Color e-reader not long after it came out. I had figured that it would be the tablet of choice for me. Problem was, the 7″ screen and lack of apps, especially free (Ad Supported) apps made me think of getting something else.

That something else came from my work. As we were getting iPads and starting to support them at client sites, they gave me one. this was for me to play with, learn about and use so I could support them. I enjoy the iPad experience. It is quick, and solid. I don’t like Apple, their holier than god and we know what is right for you attitude, and the lack of decent tech apps. Video playback on it has been nice on trips, but I am limited to the Apple formats, as usual.

The Surface is the newest of the Tablets I have. I really had high hopes for this machine, and maybe in the future it will reach those aspirations, but not at the moment. Right now, I deal with the frustration of not finding either the apps I use or an equivalent. Flip Toast is ok, but has bugs (They have told me they are working on fixing them). I can’t find decent Network tools, most apps that I can get free with Ads on other platforms, cost money, or are more expensive than they are on other platforms. Then there is also my Nook issue. I have the Nook app, or my Nook Color on everything else. My Library is there on all my other devices. Microsoft, which bought an 18% stake (IIRC) in Nook has no Nook App for Windows 8. In Fact if you search for Nook in the App Store, you get 2 choices as of writing this article, Kobo or Kindle. So much for partnerships. Don’t get me wrong, there is good about the Surface. Office works nicely, the hardware is responsive and the tile system looks nice. Plus there is the keyboard cover, which is pretty sweet.

Both the Surface and the iPad I got through my office for testing and learning purposes. We want to make decisions on what our sales and service techs are going to use going forward. Honestly, I would lean to the Surface, because of Office, and because of the ease at which it integrates into a Microsoft environment. I can access network shares easily (even though I cannot join an RT device to the domain), and it will do everything that our sales and service teams need. The iPad integration we were trying with a Mac server and we just could not get it to do what we wanted.

The ASUS Transformer T300 is a personal item. It was a birthday gift back in Sept. To tell the truth, I love it. Outside of Flipboard not being available for it, I have everything I want or need on it right now. Yes, I am using Pulse on it, but the lack of new sources I like, and the lack of aggregation from the social media world, makes Pulse a bit annoying, especially in regards to World/U.S. news. Still, I have everything else, including a free Office Suite (which is amazingly useful in its own right). The only drawback to the T300 as compared to the Prime, is the plastic back. I also got a 3rd party case/bluetooth keyboard for it which works as nicely as the Surface’s keyboard cover.

My recommendation right now to people would be the Android Tablet. The T300 does it all, and while a bit sluggish at times, is still is plenty responsive. There are more free apps available for it, and you are not tied into iTunes or Apple’s network. The Surface might be the thing in the future, bight right now, it doesn’t have enough to make it worthwhile, especially on price point. The T300 costs under $400 for a 32GB model. The iPad and Surface (with Type touch cover) are both at $600 for 32GB (Without the Cover the Surface is $499 for 32GB).

Hypocrisy: Microsoft, Google, Silicon Valley and OEMs

By Leave a Comment

The world of Technology is a fickle one. You can be a darling one minute and a hated evil empire the next.

There is a lot of talk going around on the technology websites. With all the announcements made recently there has to be. You have Microsoft’s Surface, Google’s Nexus 7, Apple’s new MacBook, and that is just the tip of the iceberg. As always there is much debate about what these things mean, not only to the world at large, but in terms of what a company is or is not. These opinions help shape the future of tech, and what company’s bottom lines will be. The problem is that those writing opinions are just that, opinions, but people take them as facts.

For instance, lets look at Microsoft and its reputation as an “Evil” empire. This thought, which started back in the 90’s, when Apple was on life support and when Microsoft was trying to outflank any competitor, mostly by using integration with less superior products. There was an Anti-Trust suit, Microsoft had to capitulate to oversight and allowing use of its APIs fairly. The tech world wanted Microsoft broken into multiple companies, like AT&T had been many years ago(and that turned out so well). Here we are now in an age where the world of technology is well more than just PCs. A world where overall, Microsoft is not that big of a player. Yes it still is the dominant PC operating system. The world of mobility though belongs to Apple and Google. The world of the internet belongs to Google and Facebook. Microsoft’s name and slips seem to measure bigger, get sounded louder, and last longer than any slip from any of these other companies.

Take a look at security and privacy. Microsoft has been working for years, and getting much better, at security. Third party applications, such as Flash and Java, have been the big holes into Microsoft systems recently. Yes there are still vulnerabilities found in Microsoft’s software, but the have gotten pretty responsive about patching those holes. Apple recently had the Flashback malware, which came through a Java exploit. A Java exploit which had a patch out from Oracle for 60 days before Apple decided to push it to the OSX machines out there. Apple has control over the updates that get pushed down to its devices. It doesn’t like playing with others. As a result, it has now changed its marketing about Macs and Malware, removing the idea that Mac’s do not get viruses from its marketing. There was a lot of talk about Apple’s problems with security, but overall it did not hurt Apple as a company. The average person didn’t even know about the whole deal. If it was Microsoft the whole world would have been down their throats and never forgotten.

For a second example of the hypocrisy in the world of technology, we can look at Tablets. Microsoft has announced it is making its own tablet called Surface. Most tech writers are pleased with this idea, but the OEMs are pissed. How dare Microsoft produce a tablet of its own. Yet when Google announced its own Tablet, the Nexus 7, these same OEMs had no issue with it. Apple produces the iPad, with utter control over it, and OEMs don’t complain. So why be up in arms over Microsoft? The issue at hand is that Microsoft has been burned by its partners on non-PC’s as of late (I won’t get into the whole HP PC stupidity). Think about it, Microsoft created a tablet type computer almost 10 years ago, besed on specific types of hardware, and the OEMs screwed it up, and overpriced it. Apple comes along with the iPad and its a revolution. Microsoft had the Windows CE phones (I had one and loved it back in the early 2000’s). The OS eventually got a bad rep as it became bloated, but when Microsoft fixed things with Windows 7 Phone were the OEMs ready to get back to producing items with it? No. For that matter, OEMs which have done the same thing with their support of Linux, claim to be supportive, and claim to be coming out with new products based on Microsoft technology, yet either come out with one item that is not pushed in the marketplace, or don’t ever come to market with the item. Now add on that Microsoft has its own store (like Apple), and you can understand why Microsoft would get into making a Tablet of its own.

The reality of it all is that people are letting certain things from the past cloud their judgement. They are not basing everything on the current facts only. Truth be told, Apple is a more controlling and “evil” empire because of its control than Microsoft is. Google has been shown to have a ton of privacy issues, as much if not more than Microsoft. Microsoft gets held to a higher standard because of their past and the Anti-Trust suit more than they should at this point. For technology to really grow right, we need to hold everyone to the same standards.