Apple software sees disastrous, embarrassing week with iOS springboard crash, macOS root u...

1235

Comments

  • Reply 81 of 119
    nhughes said:
    nhughes said:

    I've been the managing editor of AppleInsider for 8 and a half years...
    Can you explain the decline in the number of posts? Articles used to get hundreds of replies, but nowadays it seems only every now and then an article receives over 30 posts. Most articles are getting single digit posts, making this site feel like a ghost town. There used to be really great discussions on all things tech, which I always loved to read and participate in.
    I don’t know the answer for sure, but I can offer you a few educated guesses:

    - We publish more news, which pushes older stories down the page, which leads to fewer comments. Weekend content tends to receive more comments because there isn’t as much news being published.
    - We, along with every other website on the internet, have a troll problem, which stifles discussion and discourages new people from commenting.
    @nhughes also when unpopular or Apple critical opinion or thought gets quickly get derailed by the strangedays of this forum, it goes a long way to stifling discussion, this article to me is fair and just but coz its not Apple praising he was the first to reply with personalized snit with little relevance to the core issues raised. That entire back and forth was just tiresome to read, I mean honestly can Apple do no wrong and be called on it ?.
    asdasdmuthuk_vanalingam
  • Reply 82 of 119
    Tim cook’s gonna fire all those lazy assholes responsible for this..
    As he did with the Apple Pencil charging, iPhone 6 battery case, Mighty Mouse "designs", the video content and iTunes debacles, the optical AppStore redesign, all missed Airpod/Homepod/AirPower launch dates. Gee man, he's such a lion. Are there still people working there ?
  • Reply 83 of 119
    vmarksvmarks Posts: 762editor
    vmarks said:
    kruegdude said:
    nhughes said:
    nhughes said:
    Hyperbolic piece, our week after Thanksgiving was joyous and without issue on any of our devices? What are we doing wrong??

    Guessed the byline by the headline. 
    "Major problems did not affect me, therefore they are not major problems."

    I said Apple, the company, had a week that was not joyous. By any measure it was a public relations disaster. I am genuinely glad to hear your week was joyous, though.
    By the same exact token -- just because some people experienced problems doesn't mean many or most. I've been with family all thru and after Thanksgiving, all Apple devices, and none of us were in a living nightmare because none of us experienced any problems. Sure bugs exist, but the way the techie echo chamber makes it out you'd think everyone's devices were failing everywhere. They aren't. 
    If you found out that your front door lock didn't work properly, even though no actually one took advantage of it and broke into your home, would you give the lock company a pass for their mistake? The root bug in macOS is an embarrassment for Apple, and they deserve to be taken to task for it.

    My iPhone X was not affected by the iOS 11.1.2 bug, but my wife's was. Took multiple attempts to install the 11.2 update because the springboard kept repeatedly crashing. On any week, that would be a bad bug. On this week, it's the capstone for an unfortunate series of self-inflicted wounds.
    Your lock analogy is poor. Most people don’t have their macs out in the open making it available for anyone to access. Also, if they did, it would be locked via a password, you know, the door lock of our macs. 

    And I see that your personal device was affected. Sorry to hear that but normally people who have problems with their devices don’t get to pen an entire article in a reputable online magazine riddled with hyperbolic phrasing depicting a sky is falling on us Apple users. Most, as in an extremely large number, of us were not affected by the springboard crash and no one was affected by the root password bug. 
    That's the macOS bug - root, the most powerful user your computer can have, more powerful than an admin user, so powerful that Apple has disabled it by default since OS X launched in 2001 - root shipped enabled, without a password. Your computer on High Sierra was open to all, locally and over the network if you had a publicly routable address. If your Mac was out in the open, it was available for anyone to access, regardless of whether or not your user account has a password. Root, the more powerful account, did not have a password. Root is capable of creating, deleting and modifying your admin user without the admin user's password. 

    The lock analogy is apt. 

    To say that no one was affected by it is a bad presumption. If you rely on knowing with certainty that your computer is secure, the only thing you can do here is erase and reinstall. You simply have no idea what actions were taken if someone remotely accessed your computer with the root account. Essentially, if root is enabled and has no password, your computer is not yours to control. That's not hyperbole. You can suspect that you weren't affected by it and carry on as if nothing happened, but that's you gauging your risk and comfort-level, not being 100% certain to a level that can withstand a security audit that your machine wasn't compromised. 

    Last summer, the Mirai botnet compromised a number of webcams and routers which either shipped with a default password in them that could not be changed, or default passwords that the user had not been encouraged to change when setting them up. A Mac root user botnet was possible here, because there was no default password, there was no password at all. 
    That's just plain wrong. A root botnet is virtually no longer possible in macOS. With El Capitan 10.11 Apple introduced "rootless" mode, officially named System Integrity Protection.
    "System Integrity Protection is a security technology in OS X El Capitan and later that's designed to help prevent potentially malicious software from modifying protected files and folders on your Mac. System Integrity Protection restricts the root user account and limits the actions that the root user can perform on protected parts of the Mac operating system.

    Before System Integrity Protection, the root user had no permission restrictions, so it could access any system folder or app on your Mac. Software obtained root-level access when you entered your administrator name and password to install the software. That allowed the software to modify or overwrite any system file or app.
    "

    https://support.apple.com/en-us/HT204899

    As Apple puts it, SIP is designed to prevent malware modifications of critical parts. Interactive modifications by the hand of such a root user still present significant danger, if the intruder gets local or networked physical access to the Mac. That's worth noting again and again.
    vmarks said:
    I know people will think I'm making more out of this bug than there is. I disagree: if you're at all concerned about the security integrity of your machine, the only way to be sure is to erase. If you're interested in security configurations for macOS, https://csrc.nist.gov/Projects/APPLE-OS-X-SECURITY-CONFIGURATION is a good place to begin reading. 
    That NIST article is outdated since it pertains to OS X 10.10 Yosemite only. With OS X 10.11 El Capitan things have significantly changed as explained in the Apple support document above.
    Thank you.

    SIP addresses software that gains root level access when a user enters their admin username and password to elevate the software's permissions. 
    That's great if we're talking about malware that wants root to modify the system and requests your admin password to get root permissions.
    So the hypothetical bad actor modifies in /usr/local/bin instead of /bin. Would you agree that it's not good? Are users supposed to know to address the directories that SIP doesn't protect? 

    https://developer.apple.com/library/content/documentation/Security/Conceptual/System_Integrity_Protection_Guide/FileSystemProtections/FileSystemProtections.html#//apple_ref/doc/uid/TP40016462-CH2-SW1 ;

    provides more detailed information about what SIP does and doesn't do. There are a lot of good things here: kernel extensions are signed, the startup disk cannot be re-assigned, runtimes are checked to prevent processes attaching to them. SIP makes macOS pretty rootkit-impervious.

    I'll modify what I wrote before: Erasing a user account, /Applications, and /usr/local/ should restore a computer to a known secure state without having to erase the whole machine. Erasing /Applications should be unnecessary if the user hasn't disabled the sandbox ("open anyway"). So we're left with ~/Library and /usr/local/. It seems to me that someone malicious could have run a botnet out of /usr/local/bin/ if they had root access as this bug allowed. Is this hypothetical? Yes. Was it, for a brief time, practical? It seems like it could have been. 

    https://iase.disa.mil/stigs/os/mac/Pages/index.aspx shows that DoD does address 10.12. It's mostly uninteresting things like 'turn off bluetooth, set the login window to require passcode, disable every application that uses iCloud, disable AirDrop, enforce their preferred password policy format.' Those documents are way shorter than I remember them being in the old days. 
  • Reply 84 of 119
    Tim cook’s gonna fire all those lazy assholes responsible for this..
    Unlikely. Tim knows that in a resource-constrained organization (and whatever Apple's market cap and revenue might be, talent is the constraining resource here), focus needs to be selectively applied. As the top dog, he sets the focus. Where the focus isn't applied, issues will crop up from time to time. That's Reality, whatever the WSJ might say. Challenger went boom, even though NASA is arguably the finest collection of engineering minds in the world. Nothing can force a perfect run, but what you can achieve is repeated success over the years, and that's what Apple and NASA excel at. To sum up: Apple has had at least a fantastic decade, with some issues cropping up from time to time (2011 MBP GC issues, iPhone 4 antenna issues, Siri mostly being stupid outside of the USA... at least in *my* experience, YMMV), but clearly leagues better than any other tech company. Even a few high-profile issues aren't enough to wipe this out.
    StrangeDays
  • Reply 85 of 119
    Tim cook’s gonna fire all those lazy assholes responsible for this..
    Imagine having to knock on Jobs' office door, "Steve we have another problem".

    I won't profess to know what went wrong with Apple's DNA or how we got to this point, but... a relaxed "Fear of God" might be part of it.  Being wildly rich and successful doesn't mean you can afford to shrug off slop.
  • Reply 86 of 119
    flaneurflaneur Posts: 4,526member
    kruegdude said:
    If I were to hazard a guess as to why were seeing a higher than normal number of bugs in the code I’d pin it on either parts of the code base being rewritten in a new language or the disruptions caused by the move to a new physical development environment. Or a bit of both. JMHO. 
    Managing the design, the building, and the move in to the new quarters has to have been a major distraction for all the divisions of the company. That, and maybe the code-base rewriting as you say, plus the exponential increase in complexity of all software across all devices — as several commenters here point out — these could all combine to create the conditions for a period of dysfunctional software issues over the last few years.

    I wish that people who tend to get shrill over Apple's "decline" or their "priorities" would keep these real-world factors in mind. In the old days, from a big-picture perspective, we used to say that such-and-such a company was "going through some growing pains." I think that's about the right tone to apply here, not one that questions the entire vision of Apple from Tim Cook on down. 

    Still, I think the article here is useful to Apple to hear from Apple Insider, if only as feedback, even if the tone is somewhat "hyperbolic," as @StrangeDays says.
    bb-15tmay
  • Reply 87 of 119
    nhughes said:
    osmartormenajr said:
    The macOS flaw was serious, but patched within a day almost. 
    Supposedly the flaw was publicized on Apple’s developer forums months ago, over the summer. It just didn’t get wide publicity until Tuesday. But it was not patched within a day.
    "Supposedly."  Huh.
    StrangeDays
  • Reply 88 of 119
    dewme said:
    There's no way to sugarcoat what has happened over the past week at Apple. Apple's software team has to bite down and swallow hard on this week's series of events. This has to be a learning experience, with equal parts of tending to the technical integrity of the people & processes and with activating & amplifying the humility of the entire staff. Some root cause failure analysis, process mapping, soul searching, understanding the checks & balances that impact software/product quality, and defining and committing to an action plan to move forward with an additional commitment and emphasis on building quality into their product early and often. I can't help but see a classic pattern of relying too heavily on the test and QA team as a quality backstop when it is the designers and developers who really need to be the greatest influence on the quality that goes into the software/product - long before the final test and QA folks see it. Fumbling on the response like they did also demonstrates that they were not well prepared to handle the situation/incident that they were presented with and reacted with haste that bit them a second time. These late breaking surprises and panic mode reactions are brutally expensive and disruptive for everyone involved. 

    I have confidence that Tim Cook and the leadership team will make sure that this is a painful lesson soon not forgotten and one that is taken to heart by the entire team. Those who cannot or will not learn or believe that they are above reproach for what's happened will soon find other vocations.

    Very well said.  
  • Reply 89 of 119
    nhughesnhughes Posts: 770editor
    What I get out of this article is that one should never inconvenience Neil Hughes in any way, or he will overreact and bring up every incident where you have slighted him and throw them back in your face.
    I’ve been doing this for 8 and a half years, and have never, ever written an editorial so harshly criticizing Apple. But yes, never ever inconvenience me, because I’ll overreact at the drop of a hat!
    asdasdmuthuk_vanalingam
  • Reply 90 of 119
    asdasdasdasd Posts: 5,686member
    nhughes said:
    osmartormenajr said:
    The macOS flaw was serious, but patched within a day almost. 
    Supposedly the flaw was publicized on Apple’s developer forums months ago, over the summer. It just didn’t get wide publicity until Tuesday. But it was not patched within a day.
    "Supposedly."  Huh.
    Definitely
    nhughes
  • Reply 91 of 119
    focherfocher Posts: 687member
    A lot of ridiculous views in this forum.

    First, no one will be fired for these bugs. Primarily because it's a piss poor way to manage an organization to set the standard of zero tolerance for mistakes. Second, there's no single person or set of people that can be blamed. This was an overall process failure, and the best people to address it are the ones who already are running the process ... so long as they recognize the problem and have the attitude that constant improvement is the cornerstone of any build process.

    Second, Apple has almost surely started to analyze and revise its QA processes to mitigate the risk of a repeat of these bugs.

    Third, there was no previous period where Apple products did not have problems. There's no "magical version" of any software or hardware that didn't / doesn't / won't have issues to be fixed. Sticking with a specific device or software version may give an individual some satisfaction, and that's fine, but it's nothing more than a lone approach that doesn't apply to the scale Apple operates at.

    I also think anyone who treats the root bug as a non-issue is just burying their head in the sand. We have absolutely no idea what the wide scale impact of that bug is in regards to systems that have been infected. It may be zero and it may be millions. We just don't know. 
    nhughesbb-15jSnivelyStrangeDaysmuthuk_vanalingam
  • Reply 92 of 119
    Rayz2016Rayz2016 Posts: 6,957member
    Bacillus3 said:
    Tim cook’s gonna fire all those lazy assholes responsible for this..
    As he did with the Apple Pencil charging, iPhone 6 battery case, Mighty Mouse "designs", the video content and iTunes debacles, the optical AppStore redesign, all missed Airpod/Homepod/AirPower launch dates. Gee man, he's such a lion. Are there still people working there ?
    So Tim Cook should fire people for building stuff you don’t like. Got it. 

    Here’s a better suggestion: go buy something else. 
    StrangeDays
  • Reply 93 of 119
    Rayz2016Rayz2016 Posts: 6,957member

    focher said:
    A lot of ridiculous views in this forum.

    First, no one will be fired for these bugs. Primarily because it's a piss poor way to manage an organization to set the standard of zero tolerance for mistakes. Second, there's no single person or set of people that can be blamed. This was an overall process failure, and the best people to address it are the ones who already are running the process ... so long as they recognize the problem and have the attitude that constant improvement is the cornerstone of any build process.

    Second, Apple has almost surely started to analyze and revise its QA processes to mitigate the risk of a repeat of these bugs.

    Third, there was no previous period where Apple products did not have problems. There's no "magical version" of any software or hardware that didn't / doesn't / won't have issues to be fixed. Sticking with a specific device or software version may give an individual some satisfaction, and that's fine, but it's nothing more than a lone approach that doesn't apply to the scale Apple operates at.

    I also think anyone who treats the root bug as a non-issue is just burying their head in the sand. We have absolutely no idea what the wide scale impact of that bug is in regards to systems that have been infected. It may be zero and it may be millions. We just don't know. 
    Well said. 


    tmay
  • Reply 94 of 119
    vmarksvmarks Posts: 762editor
    nhughes said:
    What I get out of this article is that one should never inconvenience Neil Hughes in any way, or he will overreact and bring up every incident where you have slighted him and throw them back in your face.
    I’ve been doing this for 8 and a half years, and have never, ever written an editorial so harshly criticizing Apple. But yes, never ever inconvenience me, because I’ll overreact at the drop of a hat!
    BRB, going to buy loads of hats.
    nhughes
  • Reply 95 of 119
    tmaytmay Posts: 6,311member
    flaneur said:
    kruegdude said:
    If I were to hazard a guess as to why were seeing a higher than normal number of bugs in the code I’d pin it on either parts of the code base being rewritten in a new language or the disruptions caused by the move to a new physical development environment. Or a bit of both. JMHO. 
    Managing the design, the building, and the move in to the new quarters has to have been a major distraction for all the divisions of the company. That, and maybe the code-base rewriting as you say, plus the exponential increase in complexity of all software across all devices — as several commenters here point out — these could all combine to create the conditions for a period of dysfunctional software issues over the last few years.

    I wish that people who tend to get shrill over Apple's "decline" or their "priorities" would keep these real-world factors in mind. In the old days, from a big-picture perspective, we used to say that such-and-such a company was "going through some growing pains." I think that's about the right tone to apply here, not one that questions the entire vision of Apple from Tim Cook on down. 

    Still, I think the article here is useful to Apple to hear from Apple Insider, if only as feedback, even if the tone is somewhat "hyperbolic," as @StrangeDays says.
    I'm also in the "Apple rewriting the codebase camp", so I expect that banging on the pipes is going to cause problems sooner rather than later.

    Whether that is the case or not, I'm not losing sleep over this. 
  • Reply 96 of 119
    flaneurflaneur Posts: 4,526member
    tmay said:
    flaneur said:
    kruegdude said:
    If I were to hazard a guess as to why were seeing a higher than normal number of bugs in the code I’d pin it on either parts of the code base being rewritten in a new language or the disruptions caused by the move to a new physical development environment. Or a bit of both. JMHO. 
    Managing the design, the building, and the move in to the new quarters has to have been a major distraction for all the divisions of the company. That, and maybe the code-base rewriting as you say, plus the exponential increase in complexity of all software across all devices — as several commenters here point out — these could all combine to create the conditions for a period of dysfunctional software issues over the last few years.

    I wish that people who tend to get shrill over Apple's "decline" or their "priorities" would keep these real-world factors in mind. In the old days, from a big-picture perspective, we used to say that such-and-such a company was "going through some growing pains." I think that's about the right tone to apply here, not one that questions the entire vision of Apple from Tim Cook on down. 

    Still, I think the article here is useful to Apple to hear from Apple Insider, if only as feedback, even if the tone is somewhat "hyperbolic," as @StrangeDays says.
    I'm also in the "Apple rewriting the codebase camp", so I expect that banging on the pipes is going to cause problems sooner rather than later.

    Whether that is the case or not, I'm not losing sleep over this. 
    And if that is the case —rewriting — there should be a story somewhere on this very important work, just to give us perspective on "issues" roundups like this Neil Hughes piece. Have you seen anything?
  • Reply 97 of 119
    nhughes said:
    Hyperbolic piece, our week after Thanksgiving was joyous and without issue on any of our devices? What are we doing wrong??

    Guessed the byline by the headline. 
    "Major problems did not affect me, therefore they are not major problems."

    I said Apple, the company, had a week that was not joyous. By any measure it was a public relations disaster. I am genuinely glad to hear your week was joyous, though.
    By the same exact token -- just because some people experienced problems doesn't mean many or most. I've been with family all thru and after Thanksgiving, all Apple devices, and none of us were in a living nightmare because none of us experienced any problems. Sure bugs exist, but the way the techie echo chamber makes it out you'd think everyone's devices were failing everywhere. They aren't. 
    So we should be thankful that 10 years of high-tech at 300.000 computations per second have brought you to the wisdom that unaffected users remained unaffected
    jSnively
  • Reply 98 of 119
    nhughes said:
    Can you explain the decline in the number of posts? Articles used to get hundreds of replies, but nowadays it seems only every now and then an article receives over 30 posts. Most articles are getting single digit posts, making this site feel like a ghost town. There used to be really great discussions on all things tech, which I always loved to read and participate in.
    I don’t know the answer for sure, but I can offer you a few educated guesses:

    - We publish more news, which pushes older stories down the page, which leads to fewer comments. Weekend content tends to receive more comments because there isn’t as much news being published.
    - We, along with every other website on the internet, have a troll problem, which stifles discussion and discourages new people from commenting.
    The rise of trolls is compelling, and it's connected to Victor's explanation downthread about "Apple became successful." Do you mean the organized variety who work from a script, and not just the brainwashed variety? Not that there isn't overlap there.

    And you're right, it is discouraging, and not just for new posters. When I go to the current top-level article on Tim Cook's remarks in China and think about contributing to the discussion, I find a comment like Reply 9 that exists only to promote disinformation. Stuff like that is best ignored (and thankfully in that thread, so far, it has been), but it tends to make me walk away. Feeding the trolls is wasted energy -- I'm spending my time these days on more productive things -- that guy down the street who watches Fox News all day and keeps a Trump sign out in front of his house doesn't know it, but his neighbors are organizing.
    edited December 2017 nhughesmuthuk_vanalingamjSnively
  • Reply 99 of 119
    I'm not denying there are bugs here. But the impact has been minimal due to the speedy response. I don't know anyone who had intruders from this zero-day exploit.

    In my mind, a true PR disaster -- having your product burn down cars and catch fire on planes, prompting every single domestic flight to cite it by name, triggering multiple recalls. That's a disaster, with real-world impact. This wasn't that. That's why I say it's hyperbolic to equate these relatively low-impact bugs to true disasters.

    Comparatively speaking, a major security flaw and constant reboots of a device most people seem to use throughout the day are, in fact PR disasters for Apple.  I expect crap from Samsung, I don't expect it from Apple, so when something like this does happen, even with speedy and recovery, it's relatively major.  I'm not saying it's objectively on the same level as Samsung's failures, that would be absurd, but Apple is so much better than Samsung that it doesn't take as much for people to express "whisky tango foxtrot, over" about it.
    nhughes
  • Reply 100 of 119
    These are the problems when a company gets as big as Apple.  The Apple of 2000-2010 was slimmed down by Steve Jobs and produced just a few excellent products.  In general, those products were very simple and did only what they were designed to do without a whole lot of superfluous code.  Now Apple is finding itself in the same predicament that Microsoft has in the past.  As capabilities become greater and the platform is opened up to more and more applications (both from within Apple and by app developers) the code is getting much more complex and interrelated.  Changes that one department makes will cascade through the entire platform with unanticipated results.

    I think things are going to get worse as Apple keeps adding systems like 3D cameras, facial recognition, and augmented reality.  The code gets bloated and you have many more people making changes.  Apple is doing the best it can, but now maybe Apple users can appreciate the problems they have criticized Microsoft for over the years when issues slip through the cracks and need to be fixed on-the-fly.
    asdasdmuthuk_vanalingam
Sign In or Register to comment.