BBC News - Apple issues first automatic bug update for Macs (http://www.bbc.com/news/technology-30587243)

Apple pushes first ever automated security update to Mac users | Reuters (http://www.reuters.com/article/2014/12/23/us-apple-cybersecurity-idUSKBN0K108W20141223)

What else is Apple pushing out on to Mac owners/users without their knowledge or permission?

If it can do this with a so-called security update then it can do the same on behalf of the NSA/GCHQ, the Mafia, bent cops, a rogue state’s “glorious leader” or some other nefarious party. By building such a vulnerability into OSX Apple is exposing innocent Mac owners to having false evidence planted on their Macs or otherwise being set up or attacked by third parties. eg if child porn or Barclay’s Bank Libor/forex rigging evidence is found on a Mac how can any court be sure that it was not planted there by some crooked cop, regulator or prosecutor, either directly or using Apple or a pirate Apple employee as an accessory/accomplice?


The ethical actions that Apple should have taken are:

1 Do everything possible to ensure that OSX on all Macs is secure from outside interference of all kinds. ie only the owner or somebody deliberately authorised by the owner to act on the owner’s behalf, can install updates or make changes to their Mac’s contents, OSX or apps. This should be basic for any OS software developer with common sense, intelligence, competence and integrity!

2 The security update profiled above should have been released in the normal way with owners being advised that an update is available, what it is about and having a choice of whether or not and when to install it.

Such shifty behaviour damages Apple’s reputation and destroys the credibility of Macs for all users requiring any sort of privacy or security - ie just about everyone.

Carrier,

I'm sorry but your post is yet more mindless drivel posted by the resident PPRuNe Apple bashing community.

As someone who manually installed that NTP patch this very afternoon by clicking "INSTALL" after the little red flag indicator on "App Store" illuminated to tell me there was an update available, I can very much tell you that you are talking out of your backside if you seriously think Apple are somehow secretly installing this patch automatically.

Further more, you may wish to do your homework and research System Preferences available before you start ranting away in the future....

http://s24.postimg.org/qspec98wl/UPDATE.png

I too had this pop up earlier and it said something to the effect that this patch was VERY important to have, and elsewhere I seem to recall that it said it would be automatically induced by midnight and would be ready to go at the next restart. I've not seen anything like that before, well not to my addled memory. I checked my settings, nudged by mr mixture's screenshot and there was no box ticked regarding automatic installation of updates. Out of interest what is/are the vulnerabilities presented by the NTP (?) patch ?

The simple truth is that if anyone with the ability and malevolent intent wants to implicate another through their computer, then they most likely can and will. All the average joe can do is be up to date with all reasonable security updates, stay off dodgy websites and hope that whilst paddling about the sea you're not the tasty morsel that interests a passing shark.


SHJ

Out of interest what is/are the vulnerabilities presented by the NTP (?) patch ?

Its four vulnerabilities, two of them relate to weak cryptography in relation to authentication keys, one is a buffer overflow and one is a function that does not return causing the NTP software to continue functioning when an error occurred.

My understanding is that exploitation of these vulnerabilities would limit an attacker to running code at the privilege level the NTP software is running at. But of course this may be used as a stepping stone if another vulnerability is available on your system that would allow them to escalate to root privileges.

All the average joe can do is be up to date with all reasonable security updates

Indeed, and left unprompted, the average joe doesn't bother to update their software .... so push-notifications by manufacturers isn't such a bad thing as it encourages people to keep on top of things.

I had this update installed as well I think - a notification popped up saying something like 'update installed'. No notification bubble on the app store icon and it doesn't show up in 'updates installed in the last 30 days' either.

Apple users raise privacy concerns after hard-drive files uploaded to servers | Technology | The Guardian (http://www.theguardian.com/technology/2014/nov/04/apple-data-privacy-icloud)

It is no good advising users to turn off iCloud, keep it signed out, etc. The problem is that with all user-selectable options turned to “off” or ”do not report” your information continues to be sent elsewhere. Your computer is not under your control. The only way to avoid this is to use a version of OSX that does not incorporate this automatic spyware.

The same may apply to applications such as TextEdit whose drafts are being sent elsewhere. It may be necessary to revert to earlier versions which do not contain spyware or to use other applications. Other apps will not be necessary if the automatic online reporting problem is confined to OSX but this has not been confirmed.

Even using applications such as TextEdit, Numbers, Word and Pages when your computer is not connected to the Internet is insufficient as OSX and applications may be set up to store copies of your drafts and send them to Big Brother when you next connect to the Internet. Such hidden drafts would not show up in an anti-virus or malware scan as they are legitimate drafts - which have just been stored for someone else’s use when you next go online. The hidden drafts would then be “removed” from your computer but not from where they have been sent.

Other Apple apps seem to be operating in a similar fashion. Enable Location Services on my iMac with Yosemite 10.10.2 has a blank box but glancing at Security and Privacy indicates that Maps.app and System Services are apps that have requested my location within the last 24 hours. I looked at Maps when it came out and have not used it since. However Security & Privacy indicates Maps still seems to be operating and doing so outside of my control. I have not use Maps for many months let alone within the last 24 hours so it must be spyware operating on some other party’s behalf. Whose and what for? How do I stop it?

What other spyware has Apple introduced and what backdoors are there in OSX and its apps? One OSX backdoor was used was by Apple last December to install an update on many Macs without their users knowledge or permission. Who controls what is on your Mac? - ehMac.ca (http://www.ehmac.ca/anything-mac/129105-who-controls-what-your-mac.html) What else has this backdoor been used for - in both directions - and by who else than Apple? Are there other backdoors?

The Guardian article advises that Apple has been doing this since well before Yosemite was released. The support document Apple published on the subject was dated 16 December 2013 but the Guardian advises the automatic-saving function might go back even further.

The Guardian article exposes that files are saved without the user’s permission or knowledge to “a remote server that Apple controls.” However it is quite likely that they are also being saved to another server(s) that someone else controls. Apple advises: “When a user later gives the file a name and selects a location to store it, the document is “removed” from iCloud (unless, of course, the user intentionally saves the file to iCloud).” Do you really believe that? Do you really believe that Apple introduced automatic-saving of your document drafts online only to have them “removed” when you name or save the document, all without your permission or knowledge, for no reason at all? What is to stop the file being scanned in the meantime, especially as Apple is a known NSA/GCHQ Prism agent or accomplice. There is no mention of removing it from other servers it might have been sent to.

What is the latest situation regarding the iCloud security problem that the Guardian exposed? Has it been eliminated? If not, what is the last version of OSX that does not incorporate anything to do with iCloud or other versions of online storage? What can Mac desktop and laptop users do about other uncontrollable apps such as Maps? Helpful answers will be appreciated!

I think you are being utterly paranoid and talking out of your backside. For example, how on earth do you expect Maps to work if it does not know your location?

I would have to agree that 'maps' would need to know where you were to function in the way that Apple would want it to, e.g location services for those with smart phones etc. As to the rest, who knows what is sent out, and once sent out it's fair game for whomever it would seem. It would perhaps make sense for companies to momentarily 'save' a draught to their servers as a protection to the user against data loss for reasons various, very considerate…..the flip side is that it can be abused, rendering the expected privacy toothless. Who knows what happens, but I have to say that on the whole Apple seem to offer more protection than many in my small experience.


SHJ

I think you are being utterly paranoid


I would agree.

There is a lot of paranoia and FUD ("Fear Uncertainty and Doubt") being spread above.

I would urge anyone reading to read the words written in conjunction with a gigantic pinch of salt.

It should also be pointed out that you can either entirely disable "iCloud Drive" or disable TextEdit's use of iCloud. All you need to do is look in System Preferences, its right there !

No further comment.

Thought I'd tag this query onto this thread, as it seemed to happen without permission :rolleyes: I was on a reputable newspaper site, clicked on a link for information and then just like that iTunes opened and 2 Apps for Mac and Android were presented for my perusal. These Apps would obviously provide the sought info. My question is how did the article link open my iTunes without asking me ? I'm pretty sure that in the preferences this is not allowed, as in I didn't tick the box to allow it, or any other connection attempts. Low tech confused :confused:


SHJ

These Apps would obviously provide the sought info. My question is how did the article link open my iTunes without asking me ? I'm pretty sure that in the preferences this is not allowed, as in I didn't tick the box to allow it, or any other connection attempts.

In much the same way as when you click on a word file, it opens Word, and when you click on a PDF, it opens a PDF reader. The iTunes links are associated with iTunes.

Technically speaking, the "reputable newspaper site" is doing things the old way. The new way is to use Apple Link Maker (iTunes Link Maker (http://linkmaker.itunes.apple.com/)) to generate a standard link "http" that will open in a web browser.

However, what the newspaper did was replace "http://" with "itms://". Your system as an association defined that says addresses that start "itms" are handled by iTunes. And hence you were presented with the content in itunes.

Firstly: I also agree that you are being utterly paranoid.

Suppose Apple discovered an important network security threat (which they did recently) would it not be wise to push an update pronto? Or wait for the average dozy user to install the update? C'mon now!

Generally speaking, Apple is not that interested in which sites you visit or your porn preferences, except to make it easier for you to access them. They're not (unlike Google/Android) in the business of personal data mining and use.

Secondly: If you're in the business of dealing with valuable/embarrassing data, you just have to know that the bare Net is NOT (and has never been) secure - to any OS. Secure encryption on any remotely sensitive data is a MUST. Encrypt/encipher, use TOR or the darknet (unreliable), use an unusual language like Catalan or Maltese, use POTS, use proxies, use the postal service or public phones with your own acoustic coupler modem (remember those?).

Thirdly: Forget about personal privacy if you're going to use the Net - within days there is such an enormous amount of information that can be collated about you, your ideas and habits around that you wouldn't believe it. And if I really want to know about your personal life I just have to sort through the trash you put in your dumpster.

Mac

:cool:

Thankyou mr mixture for your succinct explanation. Another little snippet wot I've learnt today.

And if I really want to know about your personal life I just have to sort through the trash you put in your dumpster.


I realise that you weren't referring to me mr knife, but if you rummaged around in my dumpster you would only discover that I like a bit of junk in the trunk :}



SHJ

Google eavesdropping tool installed on computers without permission | Technology | The Guardian (http://www.theguardian.com/technology/2015/jun/23/google-eavesdropping-tool-installed-computers-without-permission)

Do those posters above who use the word “paranoid” believe that it applies to the technical reporters at the BBC, The Guardian and Reuters, along with those individuals and organisations they have named as being concerned?

Do you really know more than that lot? I believe that their concerns, which I have just reiterated, are valid.

Why do you think those individuals and organisations who raised these concerns bothered to contact the media and the media in turn published their concerns?

What is so difficult to understand about this:
“It is no good advising users to turn off iCloud, keep it signed out, etc. The problem is that with all user-selectable options turned to “off” or ”do not report” your information continues to be sent elsewhere. Your computer is not under your control.” and
“However Security & Privacy indicates Maps still seems to be operating and doing so outside of my control. I have not use Maps for many months let alone within the last 24 hours so it must be spyware operating on some other party’s behalf.”

I agree Maps needs to know my location if I want it to navigate from where I am to some destination, ie using it instead of a stand-alone GPS, but I would not be using a desktop iMac for that purpose. Maps should not be trying to find my location if I have not opened the app! Even then it should not do so if I use it just like a paper atlas or map book.

The default in all software, OS and Apps, should always be to have spyware actions “inactive” unless deliberately turned on by the user.

“The Guardian article advises that Apple has been doing this since well before Yosemite was released. The support document Apple published on the subject was dated 16 December 2013 but the Guardian advises the automatic-saving function might go back even further.” How much further back?

Again, what is the last version of OSX that does not incorporate anything to do with iCloud or other versions of online storage?

Do those posters above who use the word “paranoid” believe that it applies to the technical reporters at the BBC, The Guardian and Reuters,

In a word, yes.

Judging by the inept reporting standards of much of the media when "reporting" aviation news, I think any regular readers of these forums place very little faith in the journalists ability to report anything technical with any degree of accuracy.

If aviation professionals and enthusiasts who really do know their own subject see regular and frequent howlers in the media on aviation topics, why should they have more faith in the reporting of other areas?

FBW

Carrier

Give it a break ! :ugh:

And yes... I agree with what Fly-by-Wife says ... journos are morons when it comes to technical matters, and their job is to sell newspapers and/or attract audiences, so they are very much prone to "talking up" problems.