macOS High Sierra ‘root’ security bug: Stop and do this NOW ∞
Rene Ritchie’s explainer walks you through the steps you should definitely take to ensure that your Mac has a root password.
Rene Ritchie’s explainer walks you through the steps you should definitely take to ensure that your Mac has a root password.
This is an ugly hack, not something I would ever do to what I consider a beautifully designed case. Especially considering that Apple is said to be shipping their own inductive AirPods case in the near future.
That said, I did find this interesting, a chance to see how to quickly and cheaply implement a Qi-compatible wireless charging solution.
Shawn joins me this week to discuss the iPhone X cameras and how it compares to traditional cameras on the market.
Brought to you by:
eero WiFi System: eero’s mesh network is simply the best WiFi system in the industry. It’s simple to set up and covers your entire home. Go to eero.com and enter dalrymple at checkout to get free shipping in the U.S. and Canada.
Nitasha Tiku, Wired:
Facebook may soon ask you to “upload a photo of yourself that clearly shows your face,” to prove you’re not a bot.
The company is using a new kind of captcha to verify whether a user is a real person. According to a screenshot of the identity test shared on Twitter on Tuesday and verified by Facebook, the prompt says: “Please upload a photo of yourself that clearly shows your face. We’ll check it and then permanently delete it from our servers.”
And:
In a statement to WIRED, a Facebook spokesperson said the photo test is intended to “help us catch suspicious activity at various points of interaction on the site, including creating an account, sending Friend requests, setting up ads payments, and creating or editing ads.”
This is somewhat reminiscent of Face ID, though presumably without the machine learning aspect, with zero 3D information (it’s a picture, after all) and, also presumably, with a much slower reaction time.
My two cents: I find it interesting that we have such a splintered approach to security. We’ve got security cams, passwords, fingerprints, iris scanning, and 3D facial mapping, all implemented with varying degrees of success by a wide variety of vendors.
Over time, there will be a tension for standards to emerge, to allow for constant verification. With the obvious dystopian potential that goes along with constant surveillance. This tension is between the requirement to verify that you are you, to validate a transaction, protect you from hackers and the like, and the desire to track you, to mine your habits.
With each new security standard you sign up for, opt into, important to know exactly where that data goes, what it will ultimately be used for.
Side note, here’s the Wikipedia page for CAPTCHA. Interesting acronym.
Apple said it is working to fix an issue that allows someone to login as a root user when they have access to your machine.
“We are working on a software update to address this issue,” an Apple spokesperson said in a statement provided to The Loop. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”
The issue was first reported this afternoon and was reproduced by Dave Mark at The Loop.
There’s a security hole in macOS High Sierra and we’ve verified the issue.
First reported in this tweet:
Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
Here’s how to reproduce it:
Eventually, you will get a second Unlock dialog. Repeat this procedure with root and empty password field. This time, when you click Unlock, the admin lock will unlock and you are in.
Note that this does require you to have physical access to a machine and be already logged in to the machine. I have verified this on my machine and it does work.
While this is an issue, this would be way more of an issue if this technique allowed you to log in to a machine (perhaps a stolen one, for example), as opposed to gaining root access to a machine whose user logged in and granted access in the first place. Not nothing, but the sky is not falling.
We’ve reached out to Apple and will update this post the moment we hear back.
UPDATE: This just got a bit worse. This same technique will enable you to login to any Mac whose login options are set to “Display login window as Name and password” instead of “Display login window as List of users”.
While you wait for Apple to respond, suggest you do this:
You can also follow up by entering a root password or, as others have suggested, disabling the root user. My suggestion would be to wait until Apple responds, then follow their suggested advice.
UPDATE 2: Apple said it is working to fix the issue.
Rolling Stone:
Some of the year’s best classic rock came from pop stars like Kesha and Harry Styles; some of the year’s most acclaimed pop statements came via glossier sounds from alterna-rock icons like Queens of the Stone Age, Foo Fighters, St. Vincent and Grizzly Bear. SZA melded emo self-evaluation with the sounds of modern R&B, Chris Stapleton joined classic soul to contemporary country, Jlin added experimental cutting-edge textures to Chicago dance music, Valerie June explored decades of American music and Drake pulled sounds and collaborators from all across the world. Here’s the best of a tumultuous year.
I’m officially old. Not only do I not own any of these albums, I’ve never even heard of three-quarters of the listed bands.
FiveThirtyEight:
When he died from cancer on Dec. 28, 2016, the 31-year-old Pan Pan was the world’s panda paterfamilias: the oldest known living male and the panda (male or female) with the most genetic contribution to the species’ captive population. Today, there are 520 pandas living in research centers and zoos, mostly in China. Chinese officials say more than 130 of them are descendants of Pan Pan.
Pan Pan saved his species by being really, really, ridiculously good at sex.
I bet when you woke up you didn’t think you’d be reading a really interesting story about panda sex today, did you?
Scares me just watching this. Jump to about 2 minutes in for a real closeup of the innards. That’s one brave individual.
Benjamin Mayo, 9to5Mac:
Apple began a support Twitter account early in 2016, answering customer queries and tweeting out the occasional iOS tip. It has now expanded into a dedicated Apple Support YouTube channel.
The account features highly-produced tutorial videos explaining all sorts of iOS features from how to change your wallpaper to deleting your call history.
Here’s a link to the Apple Support YouTube channel. Terrific resource, nice find from Benjamin Mayo.
Joe Rossignol, MacRumors:
At least a few hundred iPhone users and counting have complained about the word “it” autocorrecting to “I.T” on iOS 11 and later.
This is a bizarre new class of bugs. It started with autocorrect capitalizing the first letter of some words, even in The Middle of a sentence.
Then we saw a rash of autocorrects of the letter I to A[?], much to the amusement of Ohio State fans.
And now this. What’s going on here? Is this machine learning going awry? Is this the future of AI? Works most of the time, but every so often a robot goes insane and starts breaking things?
One problem with machine learning is that it creates evolving behavior, which creates a complex tree of possible behaviors, impossible to completely test.
That said, is that what’s going on here? Or is this something more mundane? It’d be good to actually know the cause of these issues. So far, mum’s the word.
Yesterday we posted a pair of Face ID iPhone X ads from Apple. Here’s another pair.
The first one focuses on iPhone X’s ability to track your changing looks, know that it’s you, unlock even with a pretty major change.
The second one is all about the fun of Animoji. I think Animoji are going to sell an awful lot of phones for Apple.
Gabe Weatherhead, MacDrifter:
When my 10.5″ iPad Pro arrived I decided to do a little experiment. You see, I honestly believe that the iPad, iPhone, and other micro super-computers are the future of computing and I want to force myself out of old-man complacency. Five months ago I committed to that experiment and avoided using my Mac unless there was absolutely no way to do something on my iPad or iPhone. Last week I ended my experiment and I have a few opinions (big surprise).
I use my Mac, iPhone, and iPad in a mix throughout the day. My iPhone is always with me, gets all the looks when I am away from my desk. My Mac gets all my looks at my desk. And my iPad gets the rest, those times when I am bopping about, laying about, or in a car (not driving!)
[Of course, my Apple Watch gets its share of looks, no matter the device I’m using, but in my view, does not impact the Mac vs iPad argument.]
Gabe’s piece really captures my feelings about the Mac, why it is the best solution for certain (but by no means all, or even most) situations. Here’s a taste:
I do a lot of text editing, so this is a category where I feel friction the most. There’s really no comparison for me. Text editors on the Mac are more feature rich and I can edit faster than on iOS.
Friction is a perfect word. The Mac is customizable to the point where I can really get at those friction points, ease them to make my process more efficient. iOS, on the other hand, is more portable, easier to get going and, for me, always with me every second I’m awake.
Apple has found a perfect blend of devices. At least for me and my habits.
That said, read Gabe’s piece. See if it resonates for you.
[Via Six Colors]
Apple has just posted these two ads for Face ID.
It will be interesting to see how these are received by average users unfamiliar with the technology.
Studio Neat:
With the improved sensor, wider aperture, and added optical image stabilization on the telephoto lens in the iPhone X, I wanted to see if Apple’s frequency of presenting a cropped image at 2X was reduced at all. The answer: yes. But by how much?
I created a test to hopefully get a rough idea of how much light is required before an iPhone 7 Plus and iPhone X decide to switch to their respective telephoto lenses in 2X mode.
One of the things I’ve seen people talking about is the much improved low light capability of the iPhone X. This is a good description of what happens in low light with the iPhone 7 Plus and iPhone X and how the X deals with it much better.
Regardless of how much (or little) you enjoy the singing or production values, I do find this a fascinating piece of Apple history. Folks who’ve been around the Apple universe for long enough will recognize a lot of these references.
The video was originally posted in 2012, but I just came across it this morning, thought it worth sharing. Anyone recognize anyone in the video? They are ALL Apple employees.
Steven Aquino, responding to Marco Arment’s fixing the MacBook Pro post, specifically this point Marco made about the Touch Bar:
Sorry, it’s a flop. It was a solid try at something new, but it didn’t work out. There’s no shame in that — Apple should just recognize this, learn from it, and move on.
From Steven’s response:
Arment’s recommendation that Apple “back away from the Touch Bar” reiterates a popular sentiment in the Apple community: in blunt terms, the Touch Bar sucks. I’ve read many articles and heard many podcasts where prominent members of the community deride the feature and question its future. These criticisms, while legitimate, sting me personally because I like the Touch Bar.
Read on for the details, but I agree. Don’t throw the baby out with the bathwater. The Touch Bar is an important concept. Let it evolve into the thing it was born to be.
Marco Arment:
There’s a lot to like about the new MacBook Pros, but they need some changes to be truly great and up to Apple’s standards.
Here’s what I’m hoping to see in the next MacBook Pro that I believe is technically possible, reasonable, widely agreeable, and likely for Apple to actually do, in descending order of importance:
On the newer, butterfly keyswitches:
Butterfly keyswitches are a design failure that should be abandoned. They’ve been controversial, fatally unreliable, and expensive to repair since their introduction on the first 12” MacBook in early 2015. Their flaws were evident immediately, yet Apple brought them to the entire MacBook Pro lineup in late 2016.
After three significant revisions, Apple’s butterfly keyswitches remain as controversial and unreliable as ever.
No matter how you feel about the feel of the butterfly keyswitch, reliability and cost of repair are real issues. To me, butterfly or scissor design, Apple should stand by their keyboard design. If it’s true that the butterfly keyswitches are breaking far more frequently than their scissor predecessors, Apple should acknowledge this and extend warranty support for the keyboards, repair them free of charge for, say, two years.
On the placement of the arrow keys on the new keyboards:
The Magic Keyboard only needs one change to be perfect for the MacBook Pro: returning to the “inverted-T” arrow-key arrangement by making the left- and right-arrow keys half-height again. This arrangement is much more natural and less error-prone because we can align our fingers by feeling the “T” shape, a crucial affordance for such frequently used keys that are so far from the home row.
Yup.
On Apple branded USB-C hubs:
Apple’s most full-featured USB-C accessory is downright punitive in its unnecessary minimalism: one USB-C passthrough, one USB-A (a.k.a. regular/old USB), and an HDMI port that doesn’t even do 4K at 60 Hz — all for the shameless price of $80.
Instead of giving us the least that we might possibly need, this type of product should give us the most that can fit within reasonable size, cost, and bandwidth constraints.
How can you argue with this?
USB-C is great, but being limited to 2 or 4 total ports (including power) simply isn’t enough. Even if you adopt the USB-C ecosystem, these MacBook Pros are more limited than their predecessors
On the Touch Bar:
Sorry, it’s a flop. It was a solid try at something new, but it didn’t work out. There’s no shame in that — Apple should just recognize this, learn from it, and move on.
Not sure I agree with this. As is, the Touch Bar might not be exactly right, but it is a concept that some people do find useful, even invaluable. I think of Touch Bar as more an early adopter work in process, a MacBook element that will evolve into something we all grow to love.
And on charging:
I’d like to see them bring back the charging LED on the end of the cable, and the cable-management arms on the brick. These weren’t superfluous — they served important, useful functions, and their removal made real-world usability worse for small, unnecessary gains.
Amen. I miss the charging LED, especially.
Thoughtful work from Marco, well worth the read, a terrific conversation starter.
This is a fascinating glimpse of Google’s R&D organization, known as X. What I found most fascinating, was the coverage of one of the earliest X moonshots, Project Loon:
Loon took the spotlight in the wake of Hurricane Maria, which knocked out power and communications for nearly all of Puerto Rico’s 3.4 million residents.
Before the storm, Project Loon’s team had been working on an AI-based navigation system that can keep high-altitude balloons over a given area for weeks or months at a time to provide aerial internet connections. Peru was the primary testing ground, and Puerto Rico was one of the launch sites. After the hurricane hit, the focus shifted to filling the gap in Puerto Rico. The team quickly worked out arrangements with Puerto Rico’s government and federal authorities as well as AT&T and T-Mobile to boost connectivity.
And:
X says Project Loon is currently providing basic internet connectivity for more than 100,000 people in Puerto Rico.
Loon may not be as well known as Google’s self-driving vehicle project, Waymo, but Project Loon has achieved a real-world impact.
Joe Rossignol, MacRumors:
ModMy today announced it has archived its default ModMyi repository on Cydia, which is essentially an alternative App Store for downloading apps, themes, tweaks, and other files on jailbroken iPhone, iPad, and iPod touch devices.
ZodTTD/MacCiti also shut down last week, meaning that two out of three of Cydia’s major default repositories are no longer active as of this month.
And:
The closure of two major Cydia repositories is arguably the result of a declining interest in jailbreaking, which provides root filesystem access and allows users to modify iOS and install unapproved apps on an iPhone, iPad, or iPod touch.
I’ve always thought of jailbreaking as a wild west frontier, with few rules, little oversight and, correspondingly, no real way to prevent malware. Jailbreaking also technically violates your iPhone warranty.
But, that said, jailbreaking also brought some interesting, experimental features to iOS. Over time, Apple caught up, bringing the more successful jailbreaking features into the fold.
We’re seeing the end of an era.
Mental Floss:
On December 9, 2012, shoppers expecting a traditional IKEA shopping excursion got something else. Sprinting between cars in the store’s adjacent two-level parking garage was a primate decked out in a tailored faux-shearling coat and a diaper. Barely a foot tall, the gimlet-eyed creature scanned the growing crowd around him looking for any sign of his keeper. Several of them snapped his photograph.
In less than an hour, animal services would arrive to collect him. In less than nine hours, he would become an international news story.
I remember when this happened in 2012 and thinking was a really weird story. This oral history shows it was even weirder than I imagined.
9to5Mac:
Less than five miles from Cupertino, nestled in the shadows of the newly-opened Apple Park, construction crews are quietly putting the finishing touches on another massive development project built under guidance from Apple. A striking architectural feat when viewed from any angle, Sunnyvale’s new “Central & Wolfe” campus will open in its doors to thousands of Apple employees in early 2018. 9to5Mac stopped by the future campus to see how the new buildings are shaping up.
I actually had no idea Apple was building a 2nd spaceship.
The Outline:
For a while, spam — unsolicited bulk messages sent for commercial or fraudulent purposes — seemed to be fading away. The 2003 CAN-SPAM Act mandated unsubscribe links in email marketing campaigns and criminalized attempts to hide the sender’s identity, while sophisticated filters on what were then cutting-edge email providers like Gmail buried unwanted messages in out-of-sight spam folders. In 2004, Microsoft co-founder Bill Gates told a crowd at the World Economic Forum that “two years from now, spam will be solved.”
But it’s 2017, and spam has clawed itself back from the grave. It shows up on social media and dating sites as bots hoping to lure you into downloading malware or clicking an affiliate link. It creeps onto your phone as text messages and robocalls that ring you five times a day about luxury cruises and fictitious tax bills.
I’m sure many Loop readers will say they have few issues with spam but that’s probably because we’re tech savvy enough to take measures to avoid it. But average users are not so lucky.
Longreads:
On Thanksgiving Day, 1942, an audience stuffed full of holiday cooking settled into the plush seats at the Hollywood Theatre on New York’s Fifty-First Street to watch the premiere of Casablanca, a new film from Warner Brothers. With few Americans knowing Casablanca was a city in French Morocco — let alone how to find it on a map — the studio banked on audiences’ love of wartime intrigue, along with the star power of Bogart and castmates Claude Rains and Paul Henreid, to sell the film.
Casablanca made its debut two-and-half years after Germany marched into France, triggering a massive refugee exodus. As the Nazis advanced, the population of France fled south, hoping to avoid being swallowed up by Hitler’s burgeoning empire. Hungarians, Poles, Russians, Austrians, and Spanish Republicans who had fled their homelands to seek sanctuary in France before the war, once again found themselves on the run. Thousands would end up in Casablanca.
Casablanca is my favorite movie of all time and, while I knew the circumstances were based in fact, this story goes much deeper.
Vox:
Some cities in Europe are undergoing a fascinating transformation: they’re getting rid of all of their road signs.
For us in North America, this might be a terrifying thought. But we’ve all seen video of traffic, particularly in Asia, where masses of people, buses, cars, and motorcycles all seem to be able to manage. The video points out that where this has been tried, pedestrian accidents have fallen sharply. But it also points out how these traffic controls don’t serve disabled communities very well.
Wired:
txt.fyi has no social mechanics. None. No Like button, no Share button, no comments. No feed showing which posts are most popular. Each post has a tag telling search engines not to index it, so it won’t even show up on Google. The only way anyone will see it is if you send them the URL or post it somewhere. txt.fyi is a tool for putting stuff online—but without the usual features to help something become a pass-around hit.
I call it antiviral design.
I’m a big fan of “antisocial” media. I don’t track stats, I don’t care if someone “likes” what I post and I have no idea how many followers I have on Twitter (and don’t care). Whatever I post on social media, I post because I like it, not because I care what anyone else thinks.
This might be a tool for people who just want to get thoughts online without having to worry about all the detritus that comes with it. My fiance (soon to be wife!) is semi-interested in blogging but has zero interest in learning about SEO, WordPress, HTML, etc. This might be the perfect site for her.
Fast Company:
Despite Wall Street’s pessimism, industry leaders sound downright bullish on the future of traditional retail.
What we’re seeing now, industry executives say, is a rational, albeit painful, course correction. One study from retail-research firm IHL Group found that a mere 16 chains, including RadioShack and Payless, account for nearly half of all store closings, and that there will be a net increase of more than 4,000 stores in 2017 and 5,500-plus in 2018.
While it feels like “everyone” is shopping online and retail is on its death bed, this story says it’s not as bad as what it may seem.
I may be an outlier but I still like going to the mall (on occasion) and walking around, if only for the people watching.
Gizmodo:
Have you ever sat down to watch that film that critics are raving about only to be massive unimpressed? Sure, Mark Kermode might have loved The Florida Project, but let’s be honest – what it really needed was a few more car chases and explosions to liven things up.
In fact, it often seems like critics and ordinary cinema-goers are at loggerheads: They want beautifully crafted tales about people in the olden days having feelings, which elucidates universal truths about the human condition. While we want massive robots hitting other robots.
This kind of stuff always fascinates me – how critics can love or hate a movie but audience reaction is the complete opposite. I first noticed this when I saw Naked Lunch and Barton Fink in 1991. Critics loved the two films so I saw them for that reason alone. I hated both of them.
But then again, I hated Forrest Gump so go figure.
I definitely would have used this in college but it does seem like a lot of effort for a fairly simply process.
Smartphone maker Apple Inc and its biggest manufacturing partner on Wednesday said that a small number of students were discovered working overtime in its Chinese factory, violating local labor laws.
Many of the headlines surrounding this story seem to indicate that Apple was caught forcing students to work like slaves. The truth is, Apple has held the companies it works with to a higher standard than anyone else when it comes to helping the workers.