[–] Gys link

Good to know that at least Google is very concerned with MacOS security ;-)

reply

[–] ninkendo link

A sizable percentage of their employees use macs, so it's not surprising.

reply

[–] digi_owl link

And the impression i have is that the pixel products are in part an attempt at getting them to dogfood Google's own stuff.

reply

[–] euyyn link

I can't think of any Google product that isn't dogfooded by Googlers, to be frank.

reply

[–] radley link

When I attended Google IO a couple of years back, I was surprised how many Android team members were using iPhones.

reply

[–] tajen link

Well if they want security, Android has only been half serious since 6 (entire systematic disk encryption, half-serious permissions...).

reply

[–] euyyn link

I've had a corporate Android phone since Ice-Cream Sandwich. I assume people that started before me used earlier versions too.

reply

[–] finchisko link

Maybe they want to have their enemy close. :D

reply

[–] ratsimihah link

<insert tsun zu quote here>

reply

[–] tzakrajs link

Adsense? I don't remember seeing internal advertisements powered by Adsense. :P

reply

[–] discreditable link

This made me imagine Googlers annoucing donuts in meeting room x to others via adsense.

reply

[–] mtgx link

I think part of the reason why Google even decided to make its own phones is because of security. If you read about their BeyondCorp enterprise security architecture, it emphasizes smartphone security quite a bit and how devices without timely updates, for instance, will be banned from the network (Google's own internal network that is).

Given how bad most Android OEMs are at keeping their devices up to date, Google didn't have much of a choice, other than relying on iPhones, too, for its internal security.

https://cloud.google.com/beyondcorp/

reply

[–] Cyberdog link

> I think part of the reason why Google even decided to make its own phones is because of security.

Huh. I think the main reason some people (myself included) go out of their way to avoid Google products as much as possible is because of security.

reply

[–] __jal link

Google's security != your security.

I do trust Google to "get security right"[1]. I just don't trust them to secure things I don't want to share with them. Which happens to be a huge percentage of data on and generated by my phone.

[1] In the colloquial sense that people tend to use that phrase.

reply

[–] 8ytecoder link

Do you mean privacy? I don't have issues with Google's handling of security.

reply

[–] syrrim link

That's privacy (ie google collects your data), not security (some random hacker collects your data).

reply

[–] yoz-y link

There is a link albeit not a first order one. If your privacy gets invaded enough, then random third parties will get your data (legally, from google) and then some random hacker will collect it.

reply

[–] tpush link

Why wouldn't they use their Nexuses? They even push the updates out themselves.

reply

[–] Xorlev link

Not everyone has a Nexus or Pixel. It's BYOD except for Corp phones.

reply

[–] tpush link

I was responding to this: "Given how bad most Android OEMs are at keeping their devices up to date, Google didn't have much of a choice, other than relying on iPhones, too, for its internal security."

My question was why Google would be relying on iPhones when they could just use Nexuses(then) or Pixels(now), since they are pushing their own updates (especially security).

reply

[–] shouldgowork link

Happens at FB (more or less). Employees get ad credits, because it's an incredibly important part of the platform.

reply

[–] kiddico link

well somebody's got to do it

reply

[–] arubberduck link

Google has long been Apple's security division. Often I wonder if Apple has any security people at all. The last Safari update had 11 CVEs from Google. Most of Apple's updates credit one or more issues to Google, and often Apple credits OSS-Fuzz, which is also a Google project.

reply

[–] sigmar link

>Often I wonder if Apple has any security people at all.

It just feels like they don't since they don't let their security people have social media presences. For example, their recent hire Jonathan Zdziarski

reply

[–] saagarjha link

It looks like you were cut off there…

reply

[–] NamTaf link

No, reread it as "For example, [consider] their recent hire Jonathan Zdziarski[, whom you'll see is a leading iOS security researcher from a cursory Google search]"

The GP just omitted a bunch of implied statement, which isn't immediately obvious especially if you don't natively speak English.

reply

[–] giancarlostoro link

He forgot a period at the end, so it does look like he got cut off potentially.

reply

[–] dep_b link

You don't credit internal employees in this way. These bugs were reported through official channels.

reply

[–] forgot-my-pw link

Security Update 2017-001 was released November 29, 2017: https://support.apple.com/en-ca/HT208315

Does it mean it's the first security update of the year? :(

reply

[–] dep_b link

No, just for this OS

reply

[–] forgot-my-pw link

High Sierra was released in June 2017. So that's still 6+ months without security patches. Not sure if that's a great track record or poor patching planning?

reply

[–] kiddico link

I find it interesting how many of those are attributed to project zero members

reply

[–] orionblastar link

I respect people who choose Macs and MacOS but there are reasons why I use Linux Mint and other versions of GNU/Linux.

reply

[–] dav43 link

Isn’t it ever! The install update now or remind later notifications is classic Windows UI.

reply

[–] MiddleEndian link

OS X through around 10.4 would run most updates in the background and you could restart later at your own leisure. It was fantastic back then.

reply

[–] misterdata link

And what time did it actually take in the end?

reply

[–] ungzd link

For me, about a hour and 2 (or 3?) reboots. And this is minor version update that consists only in bugfixes. I don't understand why overwritting few megabytes of files takes so long time and requires multiple reboots.

reply

[–] reacharavindh link

I'd say between 15 to 20 minutes.

reply

[–] mbesto link

Lemme guess - your fan is buzzing too?

reply

[–] reacharavindh link

Just let my Mac take in this update, now sitting in front of it watching it say

“About 3 minutes remaining”

And then jump to

“About 29 minutes remaining” :-( The price I pay for being dumb to let it update during the work day. OSX is starting to feel more like the old Windows....

reply

[–] btgeekboy link

Apple sometimes distributes separate security updates, depending on the severity of the issue.

reply

[–] simlevesque link

Why does macOS ship with Apache ?

reply

[–] tjohns link

Before Mountain Lion, a personal web server was available under System Preferences > Sharing > Web Sharing.

They removed the UI to enable it in Mountain Lion, but the functionality is still built in and can be enabled if you install Apple's MacOS Server app from the app store. Or you can just enable it from the command line.

reply

[–] Waterluvian link

It was a really nice idea. I wonder how often it got used. I think it was a conceptual relic of the [Jeff Goldblum era](https://www.youtube.com/watch?v=dQmK1CnwOUI) of iMacs with instant Internet and personal webpages.

reply

[–] tomc1985 link

The "Jeff Goldblum" era is still alive, just not in the minds of people trying to sell cloud-based alternatives

reply

[–] coldtea link

When people say "alive" in casual conversation, they mean alive for larger amounts of people than statistical noise...

reply

[–] tomc1985 link

I suppose that could be an insult, if you were actually right

reply

[–] _sdegutis link

No, personal web pages have been replaced with Facebook accounts. Nobody wants or needs a website to show off photos and videos and personal updates anymore.

reply

[–] veidr link

They do if they don’t want their photos of their kids plastered with ads for fart apps and other unsavory garbage, though...

reply

[–] _sdegutis link

But nobody in the target audience will visit it, because it's some random website and not a Facebook page. So what good is a website that's never visited?

reply

[–] amatecha link

heh, remember when you could actually host your own website from your home connection on port 80? Dynamic DNS services, etc... ISPs put a quick end to that, though :(

reply

[–] __david__ link

Not really. I still host a number of sites on my home linux box.

reply

[–] ungzd link

Nowadays you need PAAS cloud hosting with Kubernetes on at least 3 servers, monitoring SAAS, log storage SAAS, CI for js transpilers, CDN for assets, Cloudflare, SSL certificate, checklist for PWA compliance, UX guidelines, AMP, OpenGraph metadata. Because best practices!

reply

[–] rodgerd link

I... still do?

This is more about ISPs where you live than anything else. Most people don't want the hassle.

reply

[–] amatecha link

Yeah, guess it varies, but a lot of ISPs block incoming port 80 connections. Common enough that noip.com has a "port redirection" feature, interestingly enough: http://www.noip.com/support/knowledgebase/my-isp-blocks-port...

reply

[–] rcarmo link

It used to be the basis for personal web pages, and deployable to via iWeb, the “easy” web authoring tool that baked text into images...

Also, the server variants ran most services (calendars, etc.) behind it.

Edit: premature posting.

reply

[–] thought_alarm link

I assume it's so that I can run Bugzilla on my laptop.

reply

[–] nvr219 link

Right, I feel like anyone who would need apache on MacOS would know how to install it...

reply

[–] Prontiol link

AFAIK macOS built in Apache is not started by default, so it is not a security risk anyway

reply

[–] domenukk link

That's a strange way to look at things. You could argue the computer doesn't come started by default so it's not a security risk... If there's an option to start it, it's a risk.

reply

[–] mariusmg link

Yeah, they should sell those Macs without a start button. That should keep them secure :)

reply

[–] nikanj link

From a cursory glimpse, it seems Apple only pathes CVEs in OSS components when the OS itself gets an upgrade.

The next time there is a problem in Apache, the chances seem pretty high it will remain unpatched on macOS for weeks, if not months.

reply

[–] p49k link

Wow, thanks for mentioning this. My Mac has been freezing when opening tons of apps lately, making it basically useless, and I couldn’t figure out what was wrong until I checked this. I never would have guessed it was a core OS issue. What a ridiculous bug to not patch immediately.

Apparently you can at least mitigate it partly by disabling ReportCrash.

reply

[–] jason_slack link

Can you share how to do this? Anything I can try to be able to launch some of my critical apps might help.

Edit: for those who are curious: https://www.gregoryvarghese.com/reportcrash-high-cpu-disable...

reply

[–] NightMKoder link

Here’s an ok description if folks (like me) are curious: https://robservatory.com/month-13-is-out-of-bounds/ .

reply

[–] jason_slack link

Nothing seems to help me in this article. Thanks for posting it. The more we know the better.

reply

[–] minusf link

no, not fixed and joined by MirrorDisplays:

com.apple.xpc.launchd[1] (com.apple.preference.displays.MirrorDisplays): Service only ran for 0 seconds. Pushing respawn out by 10 seconds.

reply

[–] jason_slack link

I was hoping this would fix my "Month 13 is out of bounds" error. It doesn't I still have apps I cannot run now because of this. Looks like it is time to back everything up and wipe my disk back to 10.13 with no other updates.

reply

[–] jchb link

Do you have any antivirus or (shady) anti-malware software installed? Not necessarily the problem, but it wouldn't be the first time..

reply

[–] sccxy link

No. Last successful update was just before this root bug.

reply

[–] undefined link
[deleted]

reply

[–] tachion link

Try and grab yourself a combo update file and apply it to your system.

reply

[–] sccxy link

Unable to install from combo update file.

macOS 10.13.2. Update can't be installed on this disk. In order to upgrade to newer version of macOS High Sierra on this disk, please see the instructions here [https://beta.apple.com/sp/betaprogram/apfsfusion].

Looks like only way out is reinstall of macOS.

Macbook Air 2013

reply

[–] sccxy link

How to update when App Store is not working?

> The operation couldn’t be completed. (NSURLErrorDomain error -1012.)

Same error is shown on terminal too.

reply

[–] pjmlp link

Maybe Apple should hire a few more of those mythical C developers that never make mistakes.

3 x out of bounds errors

6 x memory corruption issues

reply

[–] celias link

It took several minutes on a couple of Macs with fusion drives. It seemed stuck at "Calculating time remaining..." but eventually finished, rebooted, and continued installing, this time displaying a reasonable time remaining value.

reply

[–] ams6110 link

I had this problem with the last Sierra update. Have not pulled the trigger on High Sierra yet.

reply

[–] robin_reala link

Yep, no problems (on a 2012 Air). Doesn’t seem to have fixed the Month 13 problem though…

reply

[–] finchisko link

No problem on Air 2012. Upgrade took shorter time than my shower. :D

reply

[–] numerlo link

People are reporting problems on Reddit https://www.reddit.com/r/apple/comments/7hzy3a/macos_10132_u... with the update. Anybody here tried it yet?

reply

[–] joemaller1 link

Direct download link from Apple Support: https://support.apple.com/kb/DL1946

reply

[–] undefined link
[deleted]

reply

[–] iagooar link

> Description: A logic error existed in the validation of credentials.

No shit! No one thought of that... Come on, for writing this, you better don't write anything at all...

reply

[–] lisper link

How on earth can you tell if someone is a native citizen from their name?

And what difference does it make if they're native or naturalized? One of the bedrock principles of American democracy is (or at least is supposed to be) that a citizen is a citizen. There's a reason that the phrase "second-class citizen" is supposed to have universally pejorative connotations.

reply

[–] nl link

bedrock principles of American democracy

Clearances aren't democratic (nor should they be).

No idea how they can tell citizen status from the name, though. I thought the US was made up of people form all over earth with all kinds of backgrounds so one couldn't tell from their name.

reply

[–] komali2 link

He's not wrong about it being more difficult for people with dual citizenship to get security clearance, though. At least in that sense you can be a "second class citizen."

reply

[–] lisper link

I'm a naturalized U.S. citizen with a dual citizenship, and I had no trouble (well, no more than the usual trouble) getting a security clearance.

But what does any of this have to do with anything anyway? The linked-to page doesn't mention the NSA, P0 team, or security clearances.

reply

[–] walshemj link

Might be hard for 1st gen citizens when I started work late 10's in the UK all 4 grandparents had to be Uk Nationals.

reply

[–] postit link

First:, I used notable names instead of notable persons. If that caused a confusion or misunderstanding to the point you believe I was segregating or second classing anyone, pardon me.

Second: My intent was to reply to Kiddico's message which says "I find it interesting how many of those are attributed to project zero members" That's the relation of p0 with my reply

Third: Ben Hawkes(NZ), Tavis Ormandy(UK), Ian Beer(UK) and Matt Tate(UK) are often credited as notable members of the project zero team.

reply

[–] summer_steven link

>How on earth can you tell if someone is a native citizen from their name?

Why are you playing dumb? He's clearly talking about someone with clearly foreign name, not someone from Canada.

I'm sick of people acting willfully ignorant in their arguments

reply

[–] Someone link

Clearly foreign, like Bezos, Obama, or Wozniak?

reply

[–] orionblastar link

We need immigration to have foreigners come here, make stsrtups, grow our economy, and create jobs.

The student visa should lead to a green card. Since it does not immigrants go back to their home nation and do startups there.

Not to be political, but Trump does not get that yet.

reply

[–] summer_steven link

And those are exceptions to the norm.

Look at the census of the 100 most common American names, they're either traditional American names or Spanish names from those who immigrated here over the last 50 years. https://www.thoughtco.com/most-common-us-surnames-1422656

reply

[–] phaemon link

Those top 100 names total 50 million people, out of a total US population of 250 million (at time of 1990 census).

That means that 80% of the US population has a surname other than those on that list. Assuming that 80% of the US poplulation are "foreign" because they aren't in the top 100 most common surnames, seems rather foolish.

reply

[–] DRW_ link

A lot of those look like traditional British names (also foreign).

reply

[–] asveikau link

Just want to repeat what lisper said, and even more emphatically as this is personal to me, you cannot tell a native US citizen from their name. I myself have an 11 character surname from the Baltic States. I was born in Washington DC.

What exactly is a native born American name to you? English origin? German? I honestly think you should be ashamed of what you wrote. It's deeply offensive to those of us with roots in other places.

reply

[–] cortesoft link

I have no idea if this is the case, but it could also be possible that the person you are replying to actually knows of the people listed. He might not be basing his observation on the names themselves.

reply

[–] asveikau link

I have encountered too many similar comments to believe that is the case.

reply

[–] postit link

Please see my reply to lisper

reply

[–] summer_steven link

> I myself have an 11 character surname from the Baltic States.

What exactly is a Baltic surname to you? Russian origin? German? I honestly think you should be ashamed of what you wrote. It's deeply offensive to those of us with roots in other places.

reply

[–] asveikau link

It's neither Russian nor German. Baltic is a linguistic category on its own. Specifically Lithuanian in my case. Latvian is related. There were also Baltic language speakers in Prussia before it became majority German speaking.

"Surname from the Baltic States" implies linguistic precision and specificity that "surname from the United States" does not convey and is in no means equivalent to. There is some vagueness in what I said but I left it there intentionally, people don't get crazy specific about personal details here usually. I was meaning to say I have a "foreign" surname.

reply

[–] summer_steven link

Your wrong about their being no traditional American. A traditional United States surname is generally English, Scottish, or Welsh as those were the primary people living in the United States from 1550-1850.

For instance, I remember from History class that there were atleast 3 famous guys from the 1700s named "John Smith"

reply

[–] asveikau link

You're wrong about the history of the United States. Dutch New Yorkers. Germans in Pennsylvania. (German is the predominant ethnicity of white Americans by the way.) French in Maryland. Lots of land purchased from French and robbed from Spaniards. And I didn't even mention the native peoples... All of these groups exist in significant numbers before the 1800s.

Since you're interested in around 1850, around there starts immigration from places like Ireland, Italy, Poland.. even a few Baltic people.

reply

[–] abrowne link

> robbed from Spaniards

They were Mexican by that point, right?

reply

[–] asveikau link

Depends where you are talking about. In the southwest or the west coast yes. I was thinking of Florida though, which was earlier. Though as I look that up maybe "robbed" is not the right word.

Then of course much later there was the war with Spain which resulted in caribbean US territories... This is becoming a big tangent though.

reply

[–] summer_steven link

Here's a list of the top 100 American surnames. The majority of them are British/Scottish/Welsh: https://www.ssa.gov/oact/babynames/decades/century.html

No matter what you think, the British Isles are the ones who populated the country.

reply

[–] asveikau link

No matter what you think, white Americans are mostly German. Here is the top hit when I googled that:

"German-Americans are America’s largest single ethnic group .... In 2013, according to the Census bureau, 46m Americans claimed German ancestry: more than the number who traced their roots to Ireland (33m) or England (25m). "

https://www.economist.com/news/united-states/21642222-americ...

reply

[–] dragonwriter link

> Here's a list of the top 100 American surnames. The majority of them are British/Scottish/Welsh

Lots of people of other origins adopted English surnames because the British were the dominant early group, and then later people with British names were, even though not always of British descent.

So, now, sure, British surnames are dominant, but that's often not indicative of British descent.

reply

[–] abrowne link

People often adopted English surnames or Anglicized their names, especially around WWI (also when the huge number of German language newspapers mostly closed and even towns named after German places were renamed).

reply

[–] dragonwriter link

> I find it interesting that the most notable names from P0 team aren't native US citizens.

How do you know?

> Even with dual citizenship they won't get clearance easily to work for NSA.

Not being a native citizen doesn't mean you are a dual citizen; those are orthogonal concepts. Dual citizenship are frequently native-born (having citizenship-by-birth in more than one country is a common route to dual citizenship) and naturalized citizens often do not retain foreign citizenship (they formally must renounce it, but some countries don't automatically—or ever—give effect to such renunciation.)

reply

[–] komali2 link

Huh. What kind of computers are they using over at the NSA, anyway? What about their laptops?

reply

[–] postit link

I find it interesting that the most notable names from P0 team aren't native US citizens.

Even with dual citizenship they won't get clearance easily to work for NSA.

reply

[–] robertdalke link

i hired a professional hacker to hack into incoming messages of my husband cell phone and send outgoing messages as if my phone were the original. firstly, he's very picky with his job so to tell him clarke referred you. he hacked into my husband cell phone within specific hours and did the job perfectly. He offers legit services such as phone cloning, clear criminal record, whatsapp account, facebook account, fixes credit score. His charges are affordable and reliable, if you are in need of services relating to hacking, contact him via address below... Email: cyberwizardhack at gmail dot com Whatsapp no:+1 317 794 1276

reply

[–] nautilus12 link

Long time mac user, versed in Linux but have been using Mac for its "convenience" for years: Upgraded to high sierra, and my power modes started working totally irrationally with seemingly no explanation. When I closed the lid it suddenly started going crazy and nearly burnt a hole in my desk. I think it burnt out the logic board in this way, the GPU and kernel started panicking after 2 minutes running. When turned off it would turn itself on and go into this crazy hyper swap mode, the box when I was shipping it to applecare seemed like it would catch on fire. Had to keep using SMC shutdown to get it to turn off. I dont know if the issue was High Sierra, macbook pro 2016 (which are total crap in my opinion why in the world would you hardwire the hard drive into the logic board??), or both, but it suffices to say I'm buying a Thinkpad, and Im only using Ubuntu on it.

reply

[–] chisleu link

Make sure it is a new Intel CPU too so you can't get power management to work there either. #skylakeWasFun

reply

[–] jezfromfuture link

Your an idiot

reply

[–] jrochkind1 link

If I'm reading it right, all those patches are also available for Sierra 10.12.6 and El Capitan 10.11.6 (and will presumably be delivered by an update there), except for the ones that say don't apply to Sierra 10.12.6 (the vulnerability doesn't exist there).

Eg:

> macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6

And:

> Available for: macOS High Sierra 10.13 and macOS High Sierra 10.13.1

> Not impacted: macOS Sierra 10.12.6 and earlier

reply

[–] undefined link
[deleted]

reply

[–] erikcs link

Most of the CVEs are fixed in Sierra and El Capitan as well.

reply

[–] kevinherron link

Yep... installed the Sierra security update this morning.

reply

[–] johansch link

This is their way of saying: upgrade from Sierra to the seemingly still supremely buggy High Sierra or you'll get owned?

Gee, thanks.

reply