MacInTouch Amazon link...

Apple security and privacy

Channels
Apple, Security

Ric Ford

MacInTouch
Hmmm... not a great sign?
Dan Goodin/Ars Technica said:
A glut of iOS 0-days pushes their price below cost of those for Android
For the first time ever, the security exploit broker Zerodium is paying a higher price for zero-day attacks that target Android than it pays for comparable attacks targeting iOS.

An updated price list published Tuesday shows Zerodium will now pay $2.5 million apiece for “full chain (Zero-Click) with persistence” Android zero-days compared with $2 million for iOS zero-days that meet the same criteria. The previous program overview offered $2 million for unpublished iOS exploits but made no reference at all to the exploits for Android. Zerodium founder and CEO Chaouki Bekrar told Ars the broker paid on a “case by case basis depending on the chain” for Android exploits.

Bekrar told Ars the move was prompted by a glut of working iOS exploit chains that has coincided with the growing difficulty of finding comparable exploits for versions 8 and 9 of Android.
 


Ric Ford

MacInTouch
Some interesting changes as macOS Catalina looms...
Eclectic Light Co. said:
Notarization devalued?
For fifteen months, since its unveiling at WWDC in June 2018, Apple has been preaching the virtues of the improved security to come with notarization. Then in one short announcement to developers last week, it abandoned much of this grand plan until January next year, over a quarter of the way through Catalina’s release cycle.

... In one announcement, Apple blew away previous claims as to the importance of satisfying the requirements which had been giving so many developers so much trouble over the last year or more. And those requirements aren’t going to be re-imposed on new notarizations until January of next year. I’m sure that the many developers who have struggled to ensure that the entire contents of their app bundle have been correctly signed using their developer ID and have been hardened are delighted to know that, had they waited until the last minute, they wouldn’t have needed to bother.

Short of abandoning the requirement for notarization altogether, at the last minute Apple has signalled that its only real value is in its own malware checks. Maybe all the rest, the advantages of the hardened runtime, of deep code signing, were nothing more than security theatre as some have claimed?
 


Eclectic Light Co. said:
Notarization devalued?
For fifteen months, since its unveiling at WWDC in June 2018, Apple has been preaching the virtues of the improved security to come with notarization. Then in one short announcement to developers last week, it abandoned much of this grand plan until January next year, over a quarter of the way through Catalina’s release cycle. [...]

Short of abandoning the requirement for notarization altogether, at the last minute Apple has signalled that its only real value is in its own malware checks. Maybe all the rest, the advantages of the hardened runtime, of deep code signing, were nothing more than security theatre as some have claimed?
Hmm, that does seem a little harsh. As much as the various notarization issues Howard's been writing about are a mess, there's no real question that the hardened runtime adds robustness against several common security issues to programs that use it. And all Apple really did was delay the need to meet a bunch of potentially tricky, somewhat badly documented new requirements for four months. It's hard for me to see that as a "signal" of anything, as opposed to a pragmatic reaction to discovering lots of rough edges during the beta period...
 


Ric Ford

MacInTouch
Watch out for this big trap with T2-based Macs...
Eclectic Light Co. said:
Don’t try reverting a T2 to older firmware
There’s been a recent spate of T2-equipped Macs which have suddenly become bricked and unusable. One cause for this has come to light: trying to downgrade the firmware in that Mac, for example when trying to restore Mojave on a Mac which has been running Catalina beta, according to recent tweeted reports by @tperfitt and @eholtam.
#T2 #BridgeOS #firmware
 


Watch out for this big trap with T2-based Macs...
So is this an unintended consequence or just another step toward Apple's attempt to lock down the entire platform? Apple can do whatever they desire with your computer once they own it with the T2 chip. Apple's claims that the T2 chip is for your benefit are [misleading]. I will never buy a T2 chip-equipped Mac.
 


So is this an unintended consequence or just another step toward Apple's attempt to lock down the entire platform?
If they actually wanted to prohibit downgrades, then they would have removed the feature from the recovery partition. They wouldn't give you the feature and then rig it so it bricks the hardware - that would just create massive support costs that no company wants to incur.

This is a nasty bug. It's not the first catastrophic bug to come from Apple, and it won't be the last. Hopefully they will fix this before Catalina is released - one might argue that beta testers should be prepared for disaster (which is why people are always warned to never use beta code in a production environment), but a bug like this will become an instant (and well deserved) PR nightmare if it persists into the commercial release.
 


So is this an unintended consequence or just another step toward Apple's attempt to lock down the entire platform?
I feel certain it was unintended and primarily an issue for those who decided to participate in macOS beta testing, changed their minds and attempted to back out. I suspect Apple can come up with a procedure to allow this, eventually.
I will never buy a T2 chip-equipped Mac.
That could mean that you won't ever buy another new Mac, going forward.
 



I have not read all the previous posts but wonder, if one had disabled all security preferences in macOS Recovery mode on T2 machines, if downgrading without problems would work.
 



They claim it is to improve the privacy of my data. How is this misleading, short of conspiracy theories? I hope I never have to buy another Mac without a T2!
Yes, you get improved security, but you also get so much more, like the inability to recover your data when the chip fails or anything in the storage chain decides to not work as advertised.

Then there are the things that TPM gives you freely... like removing your freedom of choice, blocking your access to websites, all the DRM stuff. Are these things being done right now? No, but they can be implemented when you have a TPM chip in your computer.

People forget this was considered an outrage when it was suggested by Intel a number of years ago. Do a Google search and you'll find (hidden among the more modern shill sites for the technology) the reasons why you should be more afraid of this "feature" than welcoming. You buy into a small part of it, and the rest comes in the back door.

Here's an example of such behavior: Remember DVDs? The public reason was to provide great quality video and audio; the real reason was to obfuscate the video and audio in a DRM'd mess of MPEG-2. Everything Big Tech wants to provide has, at its core raison d'etre, the desire to lock you up in a "secure" exclusive ecosystem [e.g. the iPhone].

The T2 chip isn't even necessary to provide security. What about FileVault isn't good enough? Are you referring to runtime security? Isn't that what macOS is supposed to do?

Be careful what you wish for, as you just might get it.
 


Ric Ford

MacInTouch
Apple has posted an update to its invisible MRT [Malware Removal Tool] anti-malware system, updating it to version 1.49.

Here's a bit more about MRT:
Krypted (Charles S. Edge) said:
Using Apple’s Built-In Malware Removal Tool (MRT)
macOS now comes with a vulnerability scanner called mrt. It’s installed within the MRT.app bundle in /System/Library/CoreServices/MRT.app/Contents/MacOS/ and while it doesn’t currently have a lot that it can do – it does protect against the various bad stuff that is actually available for the Mac.
 


Ric Ford

MacInTouch
Another lockscreen vulnerability in iOS just popped up:
The Verge said:
iOS 13 exploit bypasses the lockscreen for access to contacts
Apple is planning to release iOS 13 next week, but one security researcher has already discovered a lockscreen bypass. The exploit allows you to bypass the lockscreen and gain access to all contact information on an iPhone. Jose Rodriguez discovered the exploit and revealed to The Verge that he reported it to Apple on July 17th, but it’s still working in the Gold Master (GM) version of iOS 13 that will be released on September 19th.
 



The majority of personal computers get by just fine without a T2. Apple could have made a T2 type device for other Mac-centric purposes and left the SSD out of the equation. Standard M.2 NVMe SSDs would have been just fine.
Agreed. The coupling of T2 <-> SSD means:
  1. You need a backup of the data for recovery, in the case anything fails.
  2. That backup will not be protected by the T2 chip, therefore making this coupling moot in the end.
 


Agreed. The coupling of T2 <-> SSD means:
  1. You need a backup of the data for recovery, in the case anything fails.
  2. That backup will not be protected by the T2 chip, therefore making this coupling moot in the end.
I think the counterargument is: If I steal your laptop while you're sitting at a Starbucks, the T2 will completely prevent me from getting your data off the SSD, which I could perhaps otherwise do. Whereas, your backup devices are in a locked room, or at minimum not at the Starbucks with you, and therefore much harder to steal.

There are tradeoffs all over the place here, and different people will land on different sides of some of them. For me personally, as someone who fiddles with the hardware and software insides of computers a lot, it's a tough call. But I'm not sure that's nearly as true for the great majority of people who think of their computer as a sealed-up black-box appliance.
 


As another poster noted: the additional protection offered by the T2 chip with Storage Media vs. FileVault 2 appears minimal.

You may get some benefit re: the speed with which the data can be encrypted, potential protection of the RAM contents, etc. but the T2 chip isn’t a game changer re: hard drive content protection.

The Secure Enclave inside it does allow for faster unlocks/purchases/etc. via the biometric sensor. Reduce barriers between impulse purchases and your wallet where possible!

The unwillingness of Apple to offer removable storage media or RAM across most of its lineup has nothing to do with the T2 chip, however. The T2 chip simply makes it even more likely that some day the hackintosh community will be shut out. Simply too many assets are flowing in the direction of walling off the ecosystem.
 


Ric Ford

MacInTouch
You may get some benefit re: the speed with which the data can be encrypted, potential protection of the RAM contents, etc. but the T2 chip isn’t a game changer re: hard drive content protection.
Actually, the ability to instantly secure an entire drive or change its password is a game-changer, I think, so that you don't have to wait hours upon hours to complete encryption/decryption, leaving files unprotected in the long interim.
Apple said:
Apple T2 Security Chip Overview [PDF]
... Internal volume encryption on a Mac with the T2 chip is implemented by constructing and managing a hierarchy of keys (see Figure 2), and builds on the hardware encryption technologies built into the chip. This hierarchy of keys is designed to simultaneously achieve four goals:
  • Require the user’s password for decryption.
  • Protect the system from a brute-force attack directly against storage media removed from Mac.
  • Provide a swift and secure method for wiping content via deletion of necessary cryptographic material.
  • Enable users to change their password (and in turn the cryptographic keys used to protect their files) without requiring re-encryption of the entire volume.
On the other hand, being prevented from booting other operating systems (e.g. Linux) on a Mac, being subject to Apple's whims and ability to instantly disable your computer, being unable to boot from Target Disk Mode, and being charged outrageous prices for non-upgradable storage... not so great.
 


Agreed. The coupling of T2 <-> SSD means:
  1. You need a backup of the data for recovery, in the case anything fails.
  2. That backup will not be protected by the T2 chip, therefore making this coupling moot in the end.
1. You should always be making backups on external media. Data recovery services don't always recover anything, and they're very expensive.

No matter how reliable storage media might be, it can still fail and it can still fail in a way that nothing is recoverable. Especially if you encrypt the file system (which should be done on any portable device like a laptop). And even if data recovery is possible, that won't protect you against loss due to data corruption (whether due to malware or simple user error).

2. Nobody in their right mind would want their external backup tied to a single computer (e.g. via a T2), because that would make it impossible to restore it to a new computer, should the first be lost, stolen, destroyed or otherwise become unusable.

But (as was already mentioned), that shouldn't matter. The T2's encryption is designed to keep SSD modules from being separated from their computer. This is very important for computers that could be lost or stolen (like laptops). But you will probably be storing your backups in a more secure manner, and your users will not likely be traveling with them.

You may still want to encrypt your backups (especially if they are going to be transported/stored off-site), but there are plenty of application-level solutions for that. Some examples include backing up to a FileVault volume, backing up to an encrypted disk image and using backup software that does its own encryption.
 


It should be remembered that, when you empty the Trash on a computer equipped with an SSD, Garbage Collection will ([some time] thereafter) zero out the data in the now-unallocated blocks in order to make room for new data. If the system also has Trim enabled, it will happen sooner and more efficiently. Translation: your data is gone for good.
 


Ric Ford

MacInTouch
But you will probably be storing your backups in a more secure manner, and your users will not likely be traveling with them.
I'd think you'd want to have backups while travelling, too, for all the usual reasons. And backups at home or in the office are, of course, also subject to theft.
You may still want to encrypt your backups (especially if they are going to be transported/stored off-site), but there are plenty of application-level solutions for that. Some examples include backing up to a FileVault volume, backing up to an encrypted disk image and using backup software that does its own encryption.
But this is the issue, isn't it? If FileVault is adequately secure, we don't need the added problems of T2, and if FileVault is not secure, then we've got a very big problem that T2 doesn't solve.
 


Actually, the ability to instantly secure an entire drive or change its password is a game-changer, I think, so that you don't have to wait hours upon hours to complete encryption/decryption, leaving files unprotected in the long interim.
if I recall correctly, the time it takes to encrypt an empty 40TB RAID volume is relatively short. But if you fill your drive up with a lot of stuff first and only then enable encryption, it can take hours / days.

Hence, I prefer formatting a new backup with encryption right from inside Disk Utility. It's one of the format options (i.e. Mac OS Extended, Journaled and Encypted) and it takes little time. Disk Utility even evaluates your password strength and gives you the option to add a hint and save the password in the keychain, so the drive can be auto-mounted.

By the way, what happens if the T2 chip is damaged? Can the contents of the secure enclave be replicated on a separate computer and the drive content imaged, or is the data permanently encrypted? For a FileVault-protected drive to be recovered, just the hard drive has to work... and it allows pretty seamless cloning / hard drive replacement for eligible (non-T2?) computers.

I'm particularly not a fan of only Apple-authorized repair shops being able to greenlight repairs so the T2 chip doesn't brick the computer. Similarly, not being able to boot into Linux cuts off one of the classic ways in which "vintage" Apple hardware could be re-purposed ("vintage" as defined by Apple, not the end-user).
 


Ric Ford

MacInTouch
if I recall correctly, the time it takes to encrypt an empty 40TB RAID volume is relatively short. But if you fill your drive up with a lot of stuff first and only then enable encryption, it can take hours / days. Hence, I prefer formatting a new backup with encryption right from inside Disk Utility. It's one of the format options (i.e. Mac OS Extended, Journaled and Encypted) and it takes little time.
Exactly. Unfortunately, Apple makes this more problematic for migration than it should be, as I've documented previously, and which Bombich (of Carbon Copy Cloner) recommends against. However, with a T2-based Mac, the internal drive encryption/decryption/password changes are far faster than for non-T2 FileVault volumes.
 


It should be remembered that, when you empty the Trash on a computer equipped with an SSD, Garbage Collection will ([some time] thereafter) zero out the data in the now-unallocated blocks in order to make room for new data. If the system also has Trim enabled, it will happen sooner and more efficiently. Translation: your data is gone for good.
If you have Trim enabled, then those files will become garbage (and subject to collection at some point in the future) as soon as you empty the trash.

If you don't use Trim, then the drive doesn't know that those files' blocks are no longer in use. The drive won't declare them garbage until the (corresponding logical) blocks are overwritten by something else. Only then will garbage collection be able to do something.

(While it might theoretically be possible for a garbage collection algorithm to have intimate knowledge of a file system, so it can immediately mark blocks as garbage without Trim and without waiting for an overwrite, I doubt any production drive would do so, since it would be incompatible with any other kind of file system.)
I'd think you'd want to have backups while travelling, too, for all the usual reasons. And backups at home or in the office are, of course, also subject to theft. But this is the issue, isn't it? If FileVault is adequately secure, we don't need the added problems of T2, and if FileVault is not secure, then we've got a very big problem that T2 doesn't solve.
Really? You'd travel with your backups? Where they could get lost or stolen along with your laptop?

Yes, someone could break into your home or office, but that's much less likely than someone running away with your bag while you're at Starbucks or in an airport.

And since you don't need them to be attached 24/7, you can lock them in a secure location (like a file cabinet or a safe) when you're not actually making backups.

As for the T2, its purpose is different from FileVault. The T2 prevents the flash chips from being accessed by a different computer, but does nothing about access by software on that computer. If you don't also enable FileVault, then anyone can boot that Mac (maybe into recovery mode) and access all your data.

It's a different solution because it's trying to solve a different problem.
By the way, what happens if the T2 chip is damaged? Can the contents of the secure enclave be replicated on a separate computer and the drive content imaged, or is the data permanently encrypted?
If the T2 gets damaged, the bonded flash chips are as good as dead. If there is any possible way to recover the data, then it would undermine the entire reason for its existence.

It has always been critically important that you make backups. The T2's encryption strengthens the argument, but it really doesn't change this fact in any meaningful way. All storage devices will eventually die, and recovery isn't always possible, whether or not there is a T2 chip involved.
 


Ric Ford

MacInTouch
Really? You'd travel with your backups? Where they could get lost or stolen along with your laptop?
And you'd work on the road without backing up, so if your laptop is stolen or breaks, you lose all your work and your ability to work until you return home (if you have an old backup there)? Do you ever travel with a computer that doesn't have a T2 system? Is everything then at risk?
 


There is a middle ground.

I travel with a burner laptop and two 2.5” spinners for image storage. It helps avoid the issue of trying to effect multi-gigabyte transfers to the cloud in remote locations and it also allows relatively quick data transfers.

During the day, I take one drive into the field with me, leaving the other behind at the hotel. In the evening, I process the files and then store identical copies on both drives.

Granted, an overnight robbery would expose both drives to theft, but there is only so much paranoia that I want to entertain while vacationing. If you travel to more exciting places than I do, you may want a cloud-based backup.

The burner laptop and phone are a simple way to limit potential data breaches, should those assets get seized, stolen, whatever. Nothing you don’t expressly need for a trip should be on those assets. It’s also a much smaller loss should they break.
 


If you don't use TRIM, then the drive doesn't know that those files' blocks are no longer in use. The drive won't declare them garbage until the (corresponding logical) blocks are overwritten by something else. Only then will garbage collection be able to do something.
David, your description of the difference between Trim and "garbage collection" is clear, and one of the best I've read. What isn't clear is what you mean by logical blocks being overwritten triggering garbage collection in the absence of Trim.

It is my understanding that opening a file is just a read operation. But that if the file is edited and saved back to an SSD, the drive controller may write the new save to a different memory location and "know" to mark the prior location for collection. Is that what you mean?

It remains my understanding that, in the absence of Trim, deleting a file in a computer's OS does not mark the file's memory location on an SSD as available to clean. We certainly wouldn't want the SSD controller removing files just because they haven't been (e.g.) accessed in months. I have a couple of Android devices with Google programs that offer to do just that, to improve performance and open space, and it's actually scary.

Actually, the ability to instantly secure an entire drive or change its password is a game-changer, I think, so that you don't have to wait hours upon hours to complete encryption/decryption, leaving files unprotected in the long interim.
Whether setting up a new Linux system with LUKS encryption or formatting an external drive with ext4 and LUKS encryption, the process is all but instantaneous. It's been a while, but I frequently used Disk Utility to create encrypted partitions and DMGs both on my Mac's internal and external drives. Again, plenty fast.

What wasn't fast was the old FileVault on spinning HDDs. I'm not sure if that was before AES-NI was built into Intel chips, but it was so slow, I didn't do it but did store data in those encrypted partitions and DMGs.

Changing passwords? I'd never thought about it, but sites on the Internet say it is possible to change passwords on Mac volumes, DMGs, and in Linux on LUKs.

And you'd work on the road without backing up . . .
My wife's corporate laptop was continuously backing up over the company's VPN, and since she was handling sensitive data, hopefully securely.

That's the model of Google Drive, One Drive, and iCloud. When Chromebooks first came to market, Google ran ads saying users could lose them in a river without worry, because their data was "safe Google Drive." Safe, perhaps, if the connection to get it there did its job and was itself safe, and you don't mind your data being readable by your cloud provider.

Both portable SSDs and large-capacity, fast thumb drives offer a way to back up securely when away from home, without the Cloud.

There is a middle ground. I travel with a burner laptop and two 2.5” spinners for image storage.
Unstated in this thread is the matter of crossing a border and the border guard demanding access to your equipment, including encrypted files.
 


Unstated in this thread is the matter of crossing a border and the border guard demanding access to your equipment, including encrypted files.
Hence the use of the word "seized." If neither the laptop nor the phone have any useful information on them for border guards to swim through, then you’ve minimized your exposure.

Sure, some folk have asserted their untested constitutional 4th Amendment rights and await their day in court. In the meantime, DHS gets to revoke their global entry / clear / whatever credentials, “interviews” them every time for multiple hours when they try to enter or leave the country, and so on. Some due process that is.

This is where the cloud (if properly encrypted) can make a significant difference. 1Password tried to justify its subscription model on this feature alone, i.e. the ability to delete the password vault before travel, being able to hand over a “clean” phone for customs inspectors, and only reloading the passwords as needed at the destination. They do emphasize not lying to inspectors, however.

I also don’t consider my snaps that interesting.
 


Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts