HN Gopher Feed (2017-12-06) - page 1 of 10 ___________________________________________________________________
About the security content of macOS High Sierra 10.13.2
125 points by firloop
https://support.apple.com/en-us/HT208331___________________________________________________________________
[deleted]
numerlo - 1 minutes ago
People are reporting problems on Reddit
https://www.reddit.com/r/apple/comments/7hzy3a/macos_10132_u...
with the update. Anybody here tried it yet?
postit - 47 minutes ago
I find it interesting that the most notable names from P0 team
aren't native US citizens.Even with dual citizenship they won't get
clearance easily to work for NSA.
dragonwriter - 34 minutes ago
> I find it interesting that the most notable names from P0 team
aren't native US citizens.How do you know?> Even with dual
citizenship they won't get clearance easily to work for NSA.Not
being a native citizen doesn't mean you are a dual citizen; those
are orthogonal concepts. Dual citizenship are frequently native-
born (having citizenship-by-birth in more than one country is a
common route to dual citizenship) and naturalized citizens often
do not retain foreign citizenship (they formally must renounce
it, but some countries don't automatically?or ever?give effect to
such renunciation.)
lisper - 42 minutes ago
How on earth can you tell if someone is a native citizen from
their name?And what difference does it make if they're native or
naturalized? One of the bedrock principles of American democracy
is (or at least is supposed to be) that a citizen is a citizen.
There's a reason that the phrase "second-class citizen" is
supposed to have universally pejorative connotations.
nl - 7 minutes ago
bedrock principles of American democracyClearances aren't
democratic (nor should they be).No idea how they can tell
citizen status from the name, though. I thought the US was made
up of people form all over earth with all kinds of backgrounds
so one couldn't tell from their name.
komali2 - 40 minutes ago
He's not wrong about it being more difficult for people with
dual citizenship to get security clearance, though. At least in
that sense you can be a "second class citizen."
komali2 - 41 minutes ago
Huh. What kind of computers are they using over at the NSA,
anyway? What about their laptops?
asveikau - 37 minutes ago
Just want to repeat what lisper said, and even more emphatically
as this is personal to me, you cannot tell a native US citizen
from their name. I myself have an 11 character surname from the
Baltic States. I was born in Washington DC.What exactly is a
native born American name to you? English origin? German? I
honestly think you should be ashamed of what you wrote. It's
deeply offensive to those of us with roots in other places.
cortesoft - 21 minutes ago
I have no idea if this is the case, but it could also be
possible that the person you are replying to actually knows of
the people listed. He might not be basing his observation on
the names themselves.
asveikau - 8 minutes ago
I have encountered too many similar comments to believe that
is the case.
kiddico - 2 hours ago
I find it interesting how many of those are attributed to project
zero members
Gys - 2 hours ago
Good to know that at least Google is very concerned with MacOS
security ;-)
ninkendo - 2 hours ago
A sizable percentage of their employees use macs, so it's not
surprising.
digi_owl - 1 hours ago
And the impression i have is that the pixel products are in
part an attempt at getting them to dogfood Google's own
stuff.
mtgx - 54 minutes ago
I think part of the reason why Google even decided to make
its own phones is because of security. If you read about
their BeyondCorp enterprise security architecture, it
emphasizes smartphone security quite a bit and how devices
without timely updates, for instance, will be banned from
the network (Google's own internal network that is).Given
how bad most Android OEMs are at keeping their devices up
to date, Google didn't have much of a choice, other than
relying on iPhones, too, for its internal
security.https://cloud.google.com/beyondcorp/
tpush - 30 minutes ago
Why wouldn't they use their Nexuses? They even push the
updates out themselves.
Xorlev - 12 minutes ago
Not everyone has a Nexus or Pixel. It's BYOD except for
Corp phones.
euyyn - 1 hours ago
I can't think of any Google product that isn't dogfooded by
Googlers, to be frank.
tzakrajs - 15 minutes ago
Adsense? I don't remember seeing internal advertisements
powered by Adsense. :P
kiddico - 1 hours ago
well somebody's got to do it
arubberduck - 1 hours ago
Google has long been Apple's security division. Often I wonder
if Apple has any security people at all. The last Safari update
had 11 CVEs from Google. Most of Apple's updates credit one or
more issues to Google, and often Apple credits OSS-Fuzz, which is
also a Google project.
sigmar - 5 minutes ago
>Often I wonder if Apple has any security people at all.It just
feels like they don't since they don't let their security
people have social media presences. For example, their recent
hire Jonathan Zdziarski
[deleted]
johansch - 2 hours ago
This is their way of saying: upgrade from Sierra to the seemingly
still supremely buggy High Sierra or you'll get owned?Gee, thanks.
jrochkind1 - 1 hours ago
If I'm reading it right, all those patches are also available for
Sierra 10.12.6 and El Capitan 10.11.6 (and will presumably be
delivered by an update there), except for the ones that say don't
apply to Sierra 10.12.6 (the vulnerability doesn't exist
there).Eg:> macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X
El Capitan 10.11.6And:> Available for: macOS High Sierra 10.13
and macOS High Sierra 10.13.1> Not impacted: macOS Sierra 10.12.6
and earlier
nautilus12 - 2 hours ago
Long time mac user, versed in Linux but have been using Mac for
its "convenience" for years: Upgraded to high sierra, and my
power modes started working totally irrationally with seemingly
no explanation. When I closed the lid it suddenly started going
crazy and nearly burnt a hole in my desk. I think it burnt out
the logic board in this way, the GPU and kernel started panicking
after 2 minutes running. When turned off it would turn itself on
and go into this crazy hyper swap mode, the box when I was
shipping it to applecare seemed like it would catch on fire. Had
to keep using SMC shutdown to get it to turn off. I dont know if
the issue was High Sierra, macbook pro 2016 (which are total crap
in my opinion why in the world would you hardwire the hard drive
into the logic board??), or both, but it suffices to say I'm
buying a Thinkpad, and Im only using Ubuntu on it.
[deleted]
chisleu - 1 hours ago
Make sure it is a new Intel CPU too so you can't get power
management to work there either. #skylakeWasFun
erikcs - 2 hours ago
Most of the CVEs are fixed in Sierra and El Capitan as well.
kevinherron - 2 hours ago
Yep... installed the Sierra security update this morning.
nikanj - 2 hours ago
From a cursory glimpse, it seems Apple only pathes CVEs in OSS
components when the OS itself gets an upgrade.The next time there
is a problem in Apache, the chances seem pretty high it will remain
unpatched on macOS for weeks, if not months.
Prontiol - 33 minutes ago
AFAIK macOS built in Apache is not started by default, so it is
not a security risk anyway
simlevesque - 2 hours ago
Why does macOS ship with Apache ?
rcarmo - 2 hours ago
It used to be the basis for personal web pages, and deployable
to via iWeb, the ?easy? web authoring tool that baked text into
images...Also, the server variants ran most services
(calendars, etc.) behind it.Edit: premature posting.
tjohns - 2 hours ago
Before Mountain Lion, a personal web server was available under
System Preferences > Sharing > Web Sharing.They removed the UI
to enable it in Mountain Lion, but the functionality is still
built in and can be enabled if you install Apple's MacOS Server
app from the app store. Or you can just enable it from the
command line.
Waterluvian - 1 hours ago
It was a really nice idea. I wonder how often it got used. I
think it was a conceptual relic of the [Jeff Goldblum
era](https://www.youtube.com/watch?v=dQmK1CnwOUI) of iMacs
with instant Internet and personal webpages.
tomc1985 - 1 hours ago
The "Jeff Goldblum" era is still alive, just not in the
minds of people trying to sell cloud-based alternatives
_sdegutis - 1 hours ago
No, personal web pages have been replaced with Facebook
accounts. Nobody wants or needs a website to show off
photos and videos and personal updates anymore.
coldtea - 1 hours ago
When people say "alive" in casual conversation, they mean
alive for larger amounts of people than statistical
noise...
amatecha - 7 minutes ago
heh, remember when you could actually host your own website
from your home connection on port 80? Dynamic DNS services,
etc... ISPs put a quick end to that, though :(
thought_alarm - 1 hours ago
I assume it's so that I can run Bugzilla on my laptop.
btgeekboy - 2 hours ago
Apple sometimes distributes separate security updates, depending
on the severity of the issue.
sccxy - 1 hours ago
How to update when App Store is not working?> The operation
couldn?t be completed. (NSURLErrorDomain error -1012.)Same error is
shown on terminal too.
[deleted]