Apple logging passwords in plain text
Lion debug ‘feature’ breaks security
Agentless Backup is Not a Myth
A post to Cryptome is pointing the finger at Apple for logging plain-text passwords of users of “legacy” Filevault under Lion 10.7.3.
According to David Emery, the February update of Lion turned on a debug switch which, as a result, logs in plain text the password of a user of an encrypted directory tree. “Thus anyone who can read files accessible to group admin can discover the login passwords of any users of legacy (pre LION) Filevault home directories who have logged in since the upgrade to 10.7.3 in early February 2012,” the post notes.
It’s not the first time this logging behavior has been spotted, but only with the Cryptome post has it strayed beyond one post to Apple and a thread on Novell’s forums wondering what’s going on.
Emery says the log is accessible via a number of approaches, including opening the machine’s drive in Firewire disk mode, or booting via the recovery partition.
One of the Novell thread posters suggests symlinking /var/logs/secure.log to /dev/null to kill the logging.
While the passwords are only locally available, Emery notes that the logging breaks the "family security" model in which different users of the same machine are kept away from each others' files. ®
COMMENTS
what microsoft fans??
I think that non apple fanbois are often people who use tech as tool, and not as accessory or some sort of fashion statement. And maybe they cannot afford apple since their job can be done better with cheaper non apple product. Also they don't see the need to endlessly drool over how superior their kit is compare with any other brand. That sh1t is soo boring and dull to listen to. The key capability of non apple folks over apple fanbois is that they can shut the *uck up.
well
Very trivial bug indeed.
And besides who really wants to break into an Apple?
All that will be there is somebodies music collection, somebodies holiday snaps, a few letters, and a few doodles. Maybe even next. Months Parish newsletter. If they're really lucky they might get the new Kylie single or the latest leaflet for the Green party.
Back in the day ....
..... Steve Jobs would have turned this into a marketing triumph.
After trumpeting this must-have feature across all known media, he'd've sat back and watched lesser companies announce unconvincing plans to make it easier for passwords to be retrieved by non-specialists.
The fan bois would rejoice at the removal of yet another barrier to internet participation by the common hipster.
And, soon, private passwords would be a thing of the past. The new iPassword would potentially allow us all to financially benefit by selling our iPasses on iTunes and sharing in the profits made from our identify theft by the purchasers.
Other companies would learn from Apple's strategy and fire their IT QA departments and hire marketeers instead. All bugs would now be declared as unmissable features, and the more gullible of us would pay more for the bonus ones.
IT infrastructure monitoring strategies
Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider
Data control in the cloud
Cloud based data management
Agentless Backup is Not a Myth
