Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

A Little .Mac Security Flaw

kdawson posted more than 6 years ago | from the case-for-thumb-drives dept.

Security 328

deleuth writes "The de facto online connectivity software sold along with many Apple computers, .Mac, has a Web interface through which users can check their 'iDisk' while away from their own computer. However, there is no Log-Out button in this Web interface, so most users just close the browser and walk away... not realizing that their iDisk has been cached by the browser and that anyone who wants to can open up the browser, go back to the link in History, and get into their iDisk completely logged in. From here, files can be downloaded and/or deleted. This seems like a minor security flaw via bad interface design, and podcaster Klaatu (of thebadapples.info) posted this on the discussion.apple.com site, only to have his post removed by Apple. Furthermore, feedback at apple.com/feedback has gone unanswered. The problem remains: there is no way for the average computer user to log-out of their iDisk on public computers. A quick review of any public terminal's browser history could bring up all kinds of interesting things."

cancel ×

328 comments

Sorry! There are no comments related to the filter you selected.

Apple's response? (5, Insightful)

PFAK (524350) | more than 6 years ago | (#21715224)

Am I the only one that notices that Apple's response to every problem is a swift "let's delete this topic and pretend the problem doesn't exist"? .. Seems like bad business practise to me.

Re:Apple's response? (5, Funny)

mboverload (657893) | more than 6 years ago | (#21715240)

> Am I the only one that notices that Apple's response to every problem is a swift "let's delete this topic and pretend the problem doesn't exist"? .. Seems like bad business practise to me.

0H N0ES U DIDNT APPLE IS TEH PERFECT

A minor flaw? Tosh. (5, Insightful)

blowdart (31458) | more than 6 years ago | (#21715478)

0H N0ES U DIDNT APPLE IS TEH PERFECT

Indeed; I'm somewhat amused that this is described as a "minor" security flaw in the summary and blamed on the user interface. If it was a Microsoft web site it would be described as a major flaw and the foaming at the mouth would begin. Nor is it a user interface problem; by using session cookies closing the browser would logout the user, with or without a logout button.

The site listed (but not linked [thebadapples.info] ) in the summary doesn't describe the issue as minor, or a UI problem, so one can only assume that description comes from the summary author.

Re:A minor flaw? Tosh. (5, Funny)

Colin Smith (2679) | more than 6 years ago | (#21715710)

Indeed; I'm somewhat amused that this is described as a "minor" security flaw in the summary and blamed on the user interface. If it was a Microsoft web site it would be described as a major flaw and the foaming at the mouth would begin.
Macs make up about 3% of the computer using population. This means all flaws are minor.

 

Re:A minor flaw? Tosh. (2, Funny)

kestasjk (933987) | more than 6 years ago | (#21715954)

But that 3% is the most important group; the 3% containing Einstein and Picasso and Vivaldi, Mac evangelists one and all.

Basically if you see Einstein, Picasso, or Vivaldi, or even Gauss or Heisenberg, using a public computer then Apple will treat this vulnerability as serious.
Last I checked scientists, power-managers and artists don't use computers other than their own, so why should Apple care about this "vulnerability"?

Re:A minor flaw? Tosh. (0)

Anonymous Coward | more than 6 years ago | (#21715918)

Sorry, but if you have access to a shared user account, and the most creative attack you can think of is hitting `back`, then you fail at security.

This is not a security flaw. People using shared user accounts is a security flaw.

When Will Apple Learn (5, Insightful)

numbsafari (139135) | more than 6 years ago | (#21715286)

I am an new Apple user. And reasonably happy.

However, there is one thing that I am very troubled by and it is simply this: Apple apparent arrogance and ignorance when it comes to security.

Apple has enjoyed a "blanket" of security because it is low profile and a niche. However, as its market share and mind share expands, this period of respite will soon fade.

You would think that, during this time, Apple would have used the opportunity to develop and internal culture, policies and procedures, as well as infrastructure for dealing effectively with security issues. However, the complete opposite appears to be the case.

Apple has failed miserably to publicly and actively address such issues. It also fails to respond in anything that could be called a rapid manner to reports of exploitable security holes. Taking actions such as deleting posts that point out security problems makes the situation worse, not better. Failing to publicly document the existence, status and nature of defects makes the situation worse, not better. Being secretive makes the situation worse, not better.

Apple makes decent hardware. Leopard is very nice to use, though far from perfect. The whole ecosystem and vertical integration is nice. However, the whole thing could come crashing down because of a serious security flaw. If people think Microsoft is susceptible to such a scenario, the Apple empire is even more so.

It's not a question of if, but when. Will Apple be prepared? So far, all signs point to "NO".

PS... the CAPTCHA word for this post was "condom".. how appropriate considering the whole point is to have a good profolactic. A good metaphore for Apple's current approach to security.

Re:When Will Apple Learn (3, Informative)

noewun (591275) | more than 6 years ago | (#21715350)

You would think that, during this time, Apple would have used the opportunity to develop and internal culture, policies and procedures, as well as infrastructure for dealing effectively with security issues. However, the complete opposite appears to be the case. Apple has failed miserably to publicly and actively address such issues. It also fails to respond in anything that could be called a rapid manner to reports of exploitable security holes.

I see no proof of this. Apple responds relatively quickly to security holes and releases regular patches and updates.

Apple makes decent hardware. Leopard is very nice to use, though far from perfect. The whole ecosystem and vertical integration is nice. However, the whole thing could come crashing down because of a serious security flaw. If people think Microsoft is susceptible to such a scenario, the Apple empire is even more so.

Huh? You seem to have conflated their corporate policy, which is sometimes very stupid, with their security policy, which is generally good. The two have nothing to do with each other. Apple's overzealous moderation of their own forums is well known, and unfortunate. But it has nothing to do with how well they manage their OS security and how well they respond to exploits.

No, incident does prove Apple is lacking ... (4, Insightful)

AHumbleOpinion (546848) | more than 6 years ago | (#21715444)

Huh? You seem to have conflated their corporate policy, which is sometimes very stupid, with their security policy, which is generally good. The two have nothing to do with each other. Apple's overzealous moderation of their own forums is well known, and unfortunate. But it has nothing to do with how well they manage their OS security and how well they respond to exploits.

You are very mistaken, this incident does prove that Apple's security policies and responses are indeed lacking. Don't get fixated on the deletion of a post, consider that they did not respond by adding a logout option to a *web* interface.

Re:No, incident does prove Apple is lacking ... (0, Redundant)

Angostura (703910) | more than 6 years ago | (#21715462)

they did not respond by adding a logout option to a *web* interface.


Yet.

Re:No, incident does prove Apple is lacking ... (3, Informative)

Trillan (597339) | more than 6 years ago | (#21715472)

You realize that the post was probably deleted by someone in poorly-trained low level support monkeys, right?

Apple has a bug reporting system and an email for security issues. Use them, not the forums, if you want to make sure the post is actually evaluated by someone with understanding of... well, anything technical.

Re:No, incident does prove Apple is lacking ... (2, Insightful)

Anonymous Coward | more than 6 years ago | (#21715520)

If you have an ADC account (it's free) you can submit via bugreport.apple.com

Feedback never gets a response from what I have heard, but is listened to. Look at the new feature in the latest Garageband update for example.

As for the forums, they say quite clearly they are for user to user technical support, not discussion of policies.

Re:No, incident does prove Apple is lacking ... (4, Informative)

wish bot (265150) | more than 6 years ago | (#21716052)

The few times I have submitted comments/bugs to the ADC bugreport email address, I've always received an answer back (even if it's "we're working on it"). The first time it happened I was completely shocked - it was a real email written by a real person with a real answer. Brilliant.

Re:No, incident does prove Apple is lacking ... (0)

Anonymous Coward | more than 6 years ago | (#21715582)

> You realize that the post was probably deleted by someone in poorly-trained low level support monkeys, right?

If this was Microsoft, people would be screaming "OMG teh gates writes bad software"

Re:No, incident does prove Apple is lacking ... (4, Informative)

noewun (591275) | more than 6 years ago | (#21715556)

You are very mistaken, this incident does prove that Apple's security policies and responses are indeed lacking. Don't get fixated on the deletion of a post, consider that they did not respond by adding a logout option to a *web* interface.

How? What is the causal connection? Unless you have specific information about Apple's internal organization, and the relationship between the people who admin their forums and the people who work on OS security, the only connection is the one in your mind. Apple is not a monolithic entity with the ever-vigilant head of Steve Jobs on constant watch. It's a large corporation with multiple divisions, each of which has their regions of control and expertise. The decision to nuke posts about a security flaw, while stupid and short-sighted, does not immediately mean that Apple's OS security people are lax or lazy. They may be working on a fix already. They may not. They may roll it out in a week. They may not. And an article may appear tomorrow which proves that this security "flaw" was vastly overrated and is not that serious.

If you wanted to critique Apple's security prowess you could compile a list of known security flaws, with their severity and a list of how long it took Apple to patch them. That would be a logically constructed argument. However, this is Slashdot, so I won't hold my breath. This is the same lax "logic" which leads to a lot of the Microsoft bashing around here, and it looks stupid no matter which way it's pointed.

Re:No, incident does prove Apple is lacking ... (1)

AHumbleOpinion (546848) | more than 6 years ago | (#21715592)

How? What is the causal connection? Unless you have specific information about Apple's internal organization, and the relationship between the people who admin their forums and the people who work on OS security, the only connection is the one in your mind.

You claim that what forum admins do is unrelated to security. That is mistaken. Either a forum admin failed to report a security issue or they forum admin reported it and no one felt the need to update a *web interface* in a timely manner. Either scenario indicates that something is lacking at Apple.

They may be working on a fix already. They may not. They may roll it out in a week.

That may be timely for a software update delivered to end users but it certainly is not for a web page and server side glue.

Re:No, incident does prove Apple is lacking ... (2, Insightful)

Tim C (15259) | more than 6 years ago | (#21715892)

The decision to nuke posts about a security flaw, while stupid and short-sighted, does not immediately mean that Apple's OS security people are lax or lazy.
No - but not putting a log out button on a protected web resource does mean that they are either lax or lazy. I have no particular antipathy towards Apple, but that's just plain dumb. Even if the flaw isn't serious it certainly *looks* bad, and violates established practice for web applications.

Re:No, incident does prove Apple is lacking ... (1, Informative)

eyeye (653962) | more than 6 years ago | (#21715638)

I've had to reboot my macbook pro twice in the last couple of weeks because of new versions of quicktime to fix security flaws, it's 51Mb each time and I don't use quicktime at all. I could stomach it if it didn't require a reboot. How did they couple a shit buggy media player so closely to the OS?

Re:When Will Apple Learn (1)

MobileTatsu-NJG (946591) | more than 6 years ago | (#21716010)

"I see no proof of this. Apple responds relatively quickly to security holes and releases regular patches and updates."

To be fair, this is so silly that it should never have been a security problem. This shouldn't be measured by how quick they fix it, but rather how long they let it last.

"Apple's overzealous moderation of their own forums is well known, and unfortunate. But it has nothing to do with how well they manage their OS security and how well they respond to exploits."

I don't think you entirely got his point. The less an exploit is known, the more dangerous it is. Microsoft wouldn't get away with this, Apple shouldn't either.

Re:When Will Apple Learn (0)

Anonymous Coward | more than 6 years ago | (#21716014)

Reading through this kind of consolidated some of the things I have been thinking about Apple.

I'm pretty impressed with their system right now. It works, and it does a bunch of stuff pretty darn well.

Saying apple makes good hardware though? Don't they just order and piece together hardware just like joe shmoe's computer shop would? Do they manufacture motherboards, CPUs, ram or hard drives? They might make the cases, I doubt they make the power supplies.

Now, that said, they did spec the computer pretty well and quite consistently.

So they made a good OS? Naw, they made a darn good windowing system to replace X though. Of course, all the concepts were out there--nothing technically groundbreaking.

So what does Apple actually make? I think there are two things. One is that they bring a consistency to the system. I don't think they are technically magnificent or anything, Microsoft does a much better job technically than Apple does--but then Apple does an awesome job of choosing its battles. They restrict the hardware which must avoid thousands of "little annoyances" PC users see (like laptop suspend being flaky). They let someone else create the multi-threading OS kernel for them because that's hard.

The other thing they bring is a lot of people who grab onto anything that they can latch onto to make them appear different--the VW bug, iPod, blackberry, headset in ear, iPhone on belt, flower on dash and dreaming of getting that great Rails job--people who want to be perceived as rebels, but are afraid to do so except by joining an even larger in-crowd.

Not that I feel this covers most mac users now, since the mac switched over to the same hardware MS chose decades ago (the intel chipset) and got someone else to write the multithreading kernel they could never figure out and added the ability to run windows as a vm or dual boot, it's been a pretty damn good choice.

I don't recommend you assume that this magnificant money-making skillset in any way applies to security though. OS-X kernel pre-configured with everything closed by default is pretty good, that plus their ability to observe microsoft's security blunders and their low profile may actually get them pretty far security-wize, but if they ever start doing any ground-breaking work, they will most likely start seeing some serious problems.

I hope this didn't sound too anti-mac, I have a mini for my wife and am hoping for a mac laptop for christmas. Currently I'd say it's still ahead of Linux, although Linux is catching up FAST.

Re:When Will Apple Learn (1)

wish bot (265150) | more than 6 years ago | (#21716082)

Saying apple makes good hardware though? Don't they just order and piece together hardware just like joe shmoe's computer shop would? Do they manufacture motherboards, CPUs, ram or hard drives?
I'm not sure you comprehend what it takes to engineer something like a Macbook, or even a MacPro. Saying they just choose the components is like saying I just choose the steel when I design something like Southern Cross Station [wikipedia.org] . It's a >little more complex than that. They certainly do engineer their own motherboards, spec the components that make them up, and write all the drivers for they kit they use. Just because they use Intel procs these days doesn't mean their kit is a bunch of parts at the local compumart. If you've got a Mini I thought you might understand that - try building one of those yourself ;-)

Re:When Will Apple Learn (0)

Anonymous Coward | more than 6 years ago | (#21715454)

Apple's dealt with far more serious security problems than Microsoft in the distant past. They weren't ready then, but changed until they were. Thus, it isn't a case of "all available signs point to NO", but rather "the only existing and meaningful sign points to YES."

Re:When Will Apple Learn (3, Insightful)

mr100percent (57156) | more than 6 years ago | (#21715458)

I disagree, Apple has responded quite well, building in access control systems, program app exceutable digital signing, sandboxes, Address Space Randomization, Input Manager Restrictions, Filevault encryption, etc.

Apple hasn't experienced a real virus outbreak, but they thought ahead to implement these features before anything has happened. They beat Microsoft in many of these areas.

Catchup (1, Insightful)

Anonymous Coward | more than 6 years ago | (#21715508)

  • access control systems - built into windows since 3.1 (but only useful since NT4)
  • program app exceutable digital signing - Windows 2000
  • sandboxes - .net 1.0
  • Address Space Randomization - announced in Vista first
  • Filevault encryption - announced in Vista first; encryption with user keys was available in Windows 2000

Re:When Will Apple Learn (0)

edwardpickman (965122) | more than 6 years ago | (#21715558)

Apple has enjoyed a "blanket" of security because it is low profile and a niche.

Wow where have you been? Mac is hardly an obscure OS. It's been #2 forever and is gaining ground fast lately. The security has made Mac a target for people that want exploit for bragging rights. So far most of them have required the users to install the exploit themselves. Apple's hardware is hardly "decent". Apple makes exceptional hardware by any standards. The primary complaints are generally the fact there's little you can do to customize them and you can't build your own. Not exactly hardware issues more how the hardware is sold. I can't see where Apple is more suseptible to security exploits than Microsoft. If a single exploit could bring down a company no one would have ever even heard of Microsoft. I'm open minded about which OS I use but I have about 5% of the trouble on my Mac as I do on the four PCs I use daily. My favorite OS is still NT 3.51. It was the most stable and useable of any so far. Second would be OSX Tiger, I've yet to upgrade to Leopard.

Re:When Will Apple Learn (5, Informative)

Auckerman (223266) | more than 6 years ago | (#21715676)

Apple has enjoyed a "blanket" of security because it is low profile and a niche. However, as its market share and mind share expands, this period of respite will soon fade.

You would think that, during this time, Apple would have used the opportunity to develop and internal culture, policies and procedures, as well as infrastructure for dealing effectively with security issues. However, the complete opposite appears to be the case.

Apple has failed miserably to publicly and actively address such issues. It also fails to respond in anything that could be called a rapid manner to reports of exploitable security holes. Taking actions such as deleting posts that point out security problems makes the situation worse, not better. Failing to publicly document the existence, status and nature of defects makes the situation worse, not better. Being secretive makes the situation worse, not better.


You are incorrect in so many ways, I find it hard to begin.

1. There is no proof what so ever that Apple's install base is the reason Macs are more secure than Windows. Having network servers off by default and having a default web browser that doesn't run code written in C++, visual basic, and whatever the hell else ActiveX supports these days to be FAR more important than the install base. There are reasons that in the past, if you took a Windows computer out of a brand new box, hooked up via a DSL or Cable modem that your machine was hacked before you were finished logging in for the first time, and it isn't because of the installed base (you do remember that don't you). The Windows machine has active network servers running.

2. Apple doesn't ignore security updates and issues. They fix them. Sometimes even before someone posts about them. If you don't like their update schedule and want Apache or whatnot to be running up-to-date you can install from the CVS just like the Linux and BSD people do. To me it's like saying Red hat doesn't respond rapidly to security holes. If you want a day zero fix, update from CVS. For the common user all of this is irrelevant, since their default install isn't listening to network traffic. Apple has also included other under the hood improvements, just like all other venders, to minimize the risk of buffer over flows.

I'm sorry, Apple's not walking some kind of security minefield just getting lucky all the time. Just like Linux isn't. Unix style security just works very well and is easy to manage. Your computer isn't magic, there's a reason why Microsoft's operating systems are getting owned all the time. There are a LOT of reasons for this, most of them boil down to bad default installs and the environment Microsoft has created within it's developer community. An environment that fosters laziness and has typically done very little to stop their bad practices. Things like making applications that require the admin to be login in order to run. Which in turn leads to the floor level tech just giving everyone admin access.

You computer is not made of magic, there are reasons Microsoft's operating systems suck and people complain about them and it's not because they are "not Apple and have a small install base".

Re:When Will Apple Learn (1)

dhavleak (912889) | more than 6 years ago | (#21715840)

2. Apple doesn't ignore security updates and issues. They fix them. Sometimes even before someone posts about them.
lol. That's easy to do. Keep deleting posts on the issue until you release a fix.

I think ppl are missing the point. If .Mac has a security flaw, and somebody posts that flaw, at least the information is now available to users so they can now take defensive measures (don't use .Mac, or don't let people use your machine without logging in as guest, or something along those lines). Apple should be responding to the post with guidance on these workarounds until a patch is issued. i.e. they should empower users instead of deceiving them.

I don't understand how corporate structure, support monkeys etc. are relevent. Everyone agrees Apple has a well-documented history of deleting posts of this nature -- this is a deceptive practice and they should not be doing this. If this was any other company court cases would already have been filed. Only Apple users are this forgiving.

Re:When Will Apple Learn (-1, Flamebait)

AaronLawrence (600990) | more than 6 years ago | (#21716108)

having a default web browser that doesn't run code written in C++
Safari/Konquerer is written in C++ (or perhaps C) is it not?

Re:When Will Apple Learn (1)

Nimey (114278) | more than 6 years ago | (#21715734)

profolactic
Prophylactic.

Re:When Will Apple Learn That (0)

Anonymous Coward | more than 6 years ago | (#21715776)

as they attract people who are responsible for Windows security issues to their platform they will be vulnerable to the same opportunities.

Re:Apple's response? (2, Insightful)

kaos07 (1113443) | more than 6 years ago | (#21715302)

I don't think it's the best way to deal with the problem, but I can see logic in taking down the post. The less people who know about this the better. The only thing a thread would achieve is a) People all going "WTF LULZ APPLE FIX DIS IMMEDIATELY" which would have no effect on Apple's speed in providing a solution, or b) "Wow that's a cool trick, I'm going to try it at my local net cafe" - not something we want.

However Apple, like most corporations, clearly hasn't heard of the "Streisand effect" http://en.wikipedia.org/wiki/Streisand_effect [wikipedia.org]

Re:Apple's response? (1)

slyn (1111419) | more than 6 years ago | (#21715636)

I can't wait until the day that Barbra Streisand denies there being such a thing as the Streisand effect, and the world enters an infinite loop and esplodes.

Re:Apple's response? (1)

gaelfx (1111115) | more than 6 years ago | (#21715822)

That is exactly what I thought when I first read this, and you will have to forgive the ensuing ignorance that I am about to graffiti /. with because I am in China and wikipedia is difficult to access this week (maybe next week I'll be smarter ;) ). But I think the problem is that the post appears to have been disregarded. What Apple could have done is to write an email response to the poster (unless they did so anonymously) or at least put up a vague nod to the fact that they are working on this issue and that more posts on it are unnecessary/detrimental to their efforts to fix this problem. It's easy to let people know that you are aware of a problem without letting many people know what it is, software companies do this all the time. Another thing they should realize is that, by treating this post in this way, the security issue will become bigger news and thereby make it an even bigger issue (for this I cite the fact that /. has this posted on the frontpage, replete with instructions about how to perform said "hack"). That's the blunder in this whole mess that is not very forgivable, and is a lesson they should have learned from Microsoft trying to "deal" with IE vulnerabilities. ~is using a mac to write this, does not use .mac~

Re:Apple's response? (1)

1u3hr (530656) | more than 6 years ago | (#21716034)

I don't think it's the best way to deal with the problem, but I can see logic in taking down the post. The less people who know about this the better. The only thing a thread would achieve is a) People all going "WTF LULZ APPLE FIX DIS IMMEDIATELY" which would have no effect on Apple's speed in providing a solution, or b) "Wow that's a cool trick, I'm going to try it at my local net cafe" - not something we want.

Apple can't take it down from anywhere else, (eg, here) so all it does is make them look like assholes, it protects no one. Any malicious types will know about this now, people are vulnerable and may not know it because of this.

Re:Apple's response? (1)

aliquis (678370) | more than 6 years ago | (#21715328)

No, how they handle every flaw and criticism is facinating, in a bad way.

I still haven't decide if I should like them or not, I guess they are as bad as Microsoft.

Your .sig (1)

Knuckles (8964) | more than 6 years ago | (#21715380)

Free means no restrictions

Your basic premise is wrong.

Other Apple security controversy (4, Informative)

DigitAl56K (805623) | more than 6 years ago | (#21715574)

The Reg is currently questioning Apple's approach even in addressing well-known security vulnerabilities that it has actually acknowledged:

http://www.theregister.co.uk/2007/12/15/apple_security_fixes/ [theregister.co.uk]

Re:Apple's response? (1)

the_womble (580291) | more than 6 years ago | (#21715664)

It may be bad technical practice, it is excellent business practice.

Their main competitor is MS. As long as their users remain less likely to have security problems than MS's users, they do not have a problem. They have no reason to waste resources on security.

What are users who are not happy with Apple over this going to do? Switch to Windows?

Re:Apple's response? (1)

hankwang (413283) | more than 6 years ago | (#21715666)

Am I the only one that notices that Apple's response to every problem is a swift "let's delete this topic and pretend the problem doesn't exist"?

From the forums Terms of Service [apple.com] : Post constructive comments and questions. Unless otherwise noted, your Submission should either be a technical support question or a technical support answer. Constructive feedback about product features is welcome as well. If your Submission contains the phrase "Im sorry for the rant, but" you are likely in violation of this policy.

We cannot see what the deleted discussion looked like, but I think a topic starter like "How do I secure my iDisk?" is much less likely to be deleted than "Apple's iDisk has horrible security", even if the former leads to a heated discussion.

Re:Apple's response? (1)

d20_techie (1203900) | more than 6 years ago | (#21715684)

I am not a Mac Fan Boy. I see quite clearly Apple's mistakes, yet I love Apple. I admit to the fact they are flawed, just like Microsoft and every distribution of *nix out there. If Operating Systems were designed to be perfect we would not have so many of them. Now, as for the article. It is crap. There is, and you could find this out very quickly if you used .Mac as I have for two years, a logout button. Whenever I accessed my E-mail or Homepage or anything else tied into .Mac I was able to logout of .Mac and have never had any issues with having my privacy breached. When I was using .Mac I always intended to start using the other features more frequently, but I almost never used it for more than e-mail. So I cancelled my account as it is stupid to $100 a year for an e-mail account. Granted it had MUCH better spam control than yahoo, but at least yahoo is free.

this is common (1)

Erpo (237853) | more than 6 years ago | (#21715696)

Am I the only one that notices that Apple's response to every problem is a swift "let's delete this topic and pretend the problem doesn't exist"? .. Seems like bad business practise to me.

This happens all the time on corporate forums. The really infuriating part is that the admins also delete posts advocating a move to another forum without censorship. The only way to take discussion to sane place is to find topics before they've been deleted, see who's interested enough to post in those threads, and PM them with an invitation to a different forum.

Slant much? (4, Insightful)

Osty (16825) | more than 6 years ago | (#21715234)

I love how this is a "little", "minor" security flaw, and even though Apple actively deleted the post exposing this information nobody's really up in arms as it's just due to "bad interface design". If this were a Microsoft property, people would be screaming bloody murder.

Re:Slant much? (0)

Anonymous Coward | more than 6 years ago | (#21715294)

If this were a Microsoft property, people would be screaming bloody murder.
People say this a lot, but I wonder just how true it is.

Re:Slant much? (1)

blowdart (31458) | more than 6 years ago | (#21715538)

People say this a lot, but I wonder just how true it is.

Ah you must be new. Welcome to slashdot.

quix fix (0, Offtopic)

Anonymous Coward | more than 6 years ago | (#21715236)

step 1. use firefox
step 2. ctrl+shift+del
step 3. ?????
step 4. profit

Re:quix fix (1)

Mathinker (909784) | more than 6 years ago | (#21715402)

Didn't you skip

step 0. Boot Linux from USB.

?

Assuming firefox will only use ramdisk for it's cache, of course...

Re:quix fix (1)

yoshi2.0 (1199185) | more than 6 years ago | (#21715428)

People will never tire of that joke.

</sarcasm>

Clear private data (2, Interesting)

linuxci (3530) | more than 6 years ago | (#21715254)

Tools > Clear Private Data in Firefox is the option you need.

Not having a log out button is bad design but many people forget to click them, you need a decent timeout to reduce the risk for those that don't log out.

Does this system keep you logged in (via cookies) if you close the browser and restart it? If so that's a very bad design.

Re:Clear private data (1)

QuantumG (50515) | more than 6 years ago | (#21715372)

1. Clear private data in Firefox doesn't delete cookies by default.. you need to select that option.
2. Slashdot keeps you logged in if you close the browser and restart it.. is that a bad design?
3. Many other sites do too.. it's called convenience.

Otherwise, yes, you're right a decent timeout is a good idea.. but what is "decent"? Sounds pretty subjective.

Re:Clear private data (4, Insightful)

Osty (16825) | more than 6 years ago | (#21715510)

2. Slashdot keeps you logged in if you close the browser and restart it.. is that a bad design?

Slashdot has a "public" option. If you click that when you log in, your login state is only stored for the session and freed when you close the browser.

3. Many other sites do too.. it's called convenience.

Many other sites also implement a "public" mode like Slashdot has. Just as two other examples, Microsoft's Outlook Web Access (OWA) lets you choose "public" or "private" when you login, and Microsoft's Passport/Windows Live ID gives you the option to save email + password, just email, or nothing (the latter two are effectively session-only logins, as you still need the user's password in order to login subsequently). As well, every other site also has the ability to logout, which .Mac is missing.

Otherwise, yes, you're right a decent timeout is a good idea.. but what is "decent"? Sounds pretty subjective.

A "decent timeout" is trivially simple -- mark your cookie only valid for the current session (aka, use a "session cookie"). This is at odds with persistent login designs, so you have to give users the option -- login with a session cookie ("public terminal") that will expire when you close the browser, or login with a persistent cookie ("private terminal") that will remain valid for some period of time. If you only choose the latter, like .Mac, you must also provide a "logout" option. Anything less is a security violation.

Re:Clear private data (0)

Anonymous Coward | more than 6 years ago | (#21716098)

2. Slashdot keeps you logged in if you close the browser and restart it.. is that a bad design?
3. Many other sites do too.. it's called convenience.
Let's compare the scenarios.

Imagine somebody gets access to your Slashdot account. They can't take over the account, because they can't change your password unless they know your current password and they can't change your email address without a notification being sent to the current address. So the worst-case scenario is that they troll a bit and you lose a little karma.

Imagine somebody gets access to your iDisk account. They have access to your personal files, and can read, modify, and delete your data freely.

Hmm, I wonder whether one of these scenarios is maybe a little more serious than the other? And maybe whether what's a reasonable risk where the stakes are low, might just be an unreasonable risk when the stakes become a little higher? Ya think?

Security Through Obscurity (2, Funny)

ookabooka (731013) | more than 6 years ago | (#21715256)

podcaster Klaatu (of thebadapples.info) posted this on the discussion.apple.com site, only to have his post removed by Apple.

Ah, well, see, so long as Apple makes sure no knows about this, it won't be a problem. Surly everyone on Slashdot sees the validity of this strategy. (God I love my sig)

Re:Security Through Obscurity (0)

Anonymous Coward | more than 6 years ago | (#21715366)

What sig?

Re:Security Through Obscurity (1)

ookabooka (731013) | more than 6 years ago | (#21715816)

If you are about to mod me down, keep in mind that this post was most likely sarcastic.
I hope this doesn't get modded informative.

Re:Security Through Obscurity (1)

PjotrP (593817) | more than 6 years ago | (#21716046)

So you probably mean your sig is most likely sarcastic?

Huh? (5, Informative)

Yaztromo (655250) | more than 6 years ago | (#21715262)

After accessing your iDisk in Firefox:

  • Tools -> Clear Private Data"

In Safari:

  • Safari -> Reset Safari

Or if you remember to do so before visiting .Mac's iDisk page:

  • Safari -> Private Browsing

Problem solved.

So yes, there are ways for the average user to log-out of their iDisk from a public terminal. They just simply have to use the existing facilities at their disposal.

Yaz.

Re:Huh? (2, Interesting)

Shifuimam (768966) | more than 6 years ago | (#21715298)

That's great and all, but it doesn't change the fact that (a) any web interface with confidential or private information should have an obvious method of logging out that doesn't require specific knowledge about how to delete cookies for a certain browser/applicationn, and (b) Apple is yet again ignoring and censoring users who are pointing out this flaw.

Re:Huh? (2, Insightful)

Moofie (22272) | more than 6 years ago | (#21715362)

Seems to me that if you're concerned about security, you should think very carefully about using a public terminal.

Huh?-Eye 'C' U`. (0)

Anonymous Coward | more than 6 years ago | (#21715476)

And a public street. Or an employers computer. Etc, etc, etc.

Re:Huh? (1)

MobileTatsu-NJG (946591) | more than 6 years ago | (#21716028)

"Seems to me that if you're concerned about security, you should think very carefully about using a public terminal."

If the real world worked that way there'd be no guard rails.

Re:Huh? (4, Informative)

admactanium (670209) | more than 6 years ago | (#21715382)

That's great and all, but it doesn't change the fact that (a) any web interface with confidential or private information should have an obvious method of logging out that doesn't require specific knowledge about how to delete cookies for a certain browser/applicationn, and (b) Apple is yet again ignoring and censoring users who are pointing out this flaw.
i agree. but fyi, i just did this with my own idisk account. if you quit the browser, then you cannot get back to the idisk interface without a password prompt. there should be a log-out function, but it's not as if it's impossible to end the session.

Re:Huh? (1)

kongit (758125) | more than 6 years ago | (#21715300)

The average user does not know about the existing facilities at their disposal most of the time. While it is possible to easily remedy this problem most average users would not use the tools menu, would be afraid to reset safari, and would not understand exactly what private browsing is. Of course its a toss up if an average user would use a log off button if it was available, but the lack of one is bad design.

Re:Huh? (4, Insightful)

Knuckles (8964) | more than 6 years ago | (#21715394)

Of course its a toss up if an average user would use a log off button

That's why all bank sites I know log you out if you are inactive for a while. Seems like a good idea.

Re:Huh? (1)

rastoboy29 (807168) | more than 6 years ago | (#21716070)

Dude.  You should know that this is far too arcane for the "average" user.

Frankly, "average" users shouldn't have to go out of their way to get good security.  We should be designing it into the systems we create for them to use!

Dammit!

another security aspect (2, Interesting)

pwizard2 (920421) | more than 6 years ago | (#21715272)

Is the iDisk connection encrypted, or is it wide open?

This sounds like a job that some sort of graphical SSH frontend could do better. (since OS X has ssh support built in)

In other news... (4, Funny)

Dieppe (668614) | more than 6 years ago | (#21715278)

Slashdot editor kdawson and Slashdot submitter deleuth mysteriously disappear...

Re:In other news... (0)

Anonymous Coward | more than 6 years ago | (#21715412)

Slashdot editor kdawson ... mysteriously disappear[s]...
And the Slashdot community rejoices!

(This is either +1 Insightful or +1 Obvious, moderators act accordingly).

Re:In other news... (4, Funny)

ColdWetDog (752185) | more than 6 years ago | (#21715824)

Slashdot editor kdawson and Slashdot submitter deleuth mysteriously disappear...

I don't know about M. deleuth, but if Apple's Reality Distortion Field(R) can make kdsawson disappear, I'm buying another Mac. Maybe two.

That's interesting (3, Interesting)

Auckerman (223266) | more than 6 years ago | (#21715282)

I've never noticed that before. Probably because desktop WebDav on OS X is so slow that I just use dedicated client apps. The poster isn't being perfectly clear on the whole process for accessing your iDisk via dot mac. Here's how it goes. You sign into dot mac, then you sign into your iDisk. Same username, same password for both. You get a web page that access your WebDav folder on Apple's servers. Signing out of dot mac doesn't sign you out of the iDisk. A simple history check pulls it right back up with full write access to your iDisk (clearly not from web cache). No one would expect that behavior. I would assume there is a network idle time out, as dotmac has.

In real experience terms, this isn't going to be much of an issue until it's fixed, but does put a small stain on the portability of the service. Which is one of Apples main advertising points for it. Gotta remember though, Apple, like all other companies is filled with a lot of people. There are moderators on Apple forums, for all we know one of them removed it then notified management of the problem and it's working it's way up the command. It's not like Steve Jobs read it and said, "OMGWTFBBQ!?!?! PULL THAT NOW!".

Though, the extra publicity will help.

Re:That's interesting (1)

Shifuimam (768966) | more than 6 years ago | (#21715308)

There are moderators on Apple forums, for all we know one of them removed it then notified management of the problem

...then a much more customer-friendly way of handling such a thing (if that's what really happened) would be to post that the problem is being looked into, and lock the thread so that customers are aware that Apple isn't censoring them. At this point, it just looks like Apple's pulling the censor-ignore-and-run method of "customer service" that they have certainly been guilty of in the past.

Re:That's interesting (1)

Auckerman (223266) | more than 6 years ago | (#21715752)

The problem here is, they have an arguably bad forum policy. I agree, but that has nothing to do with their security policy. There are ways, that they aren't doing, to make this not a problem immediately. Like removing iDisk over web functionality until a fix that doesn't hose their server farm is tested and in place. They probably haven't done this because there is very little chance this is going to be a problem, since the series of events required for your iDisk to be compromised are incredibly unlikely. In real human terms, this really isn't a big issue, even though it definitely should be fixed immediately.

Re:That's interesting (1)

martinX (672498) | more than 6 years ago | (#21715756)

From what I've seen of a few similarly-handled issues, once this information becomes public, they'll pull forum posts and then work on fixing it (if they're not already).

If you have a bug report, Apple asks that you submit it via the usual channels. They don't, however, respond to these.

I'd imagine (and it is only imagination, since I'm not SteveJ or anyone who works for him) that they don't routinely respond to bug reports posted online because there's a helluva lot of "bug reports" posted online (in italics because the 'bug' may be simply user error, not Apple's fault or just really minor stuff) and responding to every single one may look good but may bog important personnel down in trivialities.

Deleting them stops the noise, while allowing signal through (to Apple) and hopefully allows Apple to get things done.

Perfect? No. But probably an OK way of handling things, given the number of false positives (not really bugs) to true positives (real bugs like this one).

Just another hit against Apple... (3, Insightful)

Shifuimam (768966) | more than 6 years ago | (#21715288)

Yet another incident where Apple blatantly ignores the customers they claim to value so much...and they will likely continue to do so until there's such a shitstorm about this that they have no choice but to respond. Apple used to be a good company...ten years ago. Now they're just as bad (if not worse, in many regards) as every other IT giant out there. Sad.

Re:Just another hit against Apple... (1)

megaditto (982598) | more than 6 years ago | (#21715750)

Why is that? Did they change something 10 years ago to make them different?

Personally, I just don't expect a publicly traded company to look out for me (unless I am a shareholder, but even then...)

How many people actually use iDisk? (1, Insightful)

Anonymous Coward | more than 6 years ago | (#21715296)

My mother uses a Mac so I was interested in making sure she doesn't get pwned. I never heard of iDisk so I checked it out.

.Mac iDisk lets you store, access, and share large files with drag-and-drop simplicity. And with ample online storage, even huge files are no problem.

It sounds neat but mom isn't going to use it. My way to do the same thing is just to ssh to my desktop at work and do whatever. So, I wouldn't use something like iDisk. It is also neat that you can share large files with your buddies. otoh, people can share movies online without iDisk.

So, my question is, how many people actually use iDisk? How much of a problem is this actually.

Re:How many people actually use iDisk? (3, Interesting)

admactanium (670209) | more than 6 years ago | (#21715364)

So, my question is, how many people actually use iDisk? How much of a problem is this actually.
actually, i use it all the time. it's a very convenient way for me to let clients download files. i have a hosting account with a traditional host as well, but i never went through the trouble of making/figuring out a nice-looking interface for my clients to use. with idisk i throw them into the public folder, then log into the web interface to set-up/edit their download page. obviously, this isn't great for confidential information, but i rarely deal with stuff that sensitive. i also host one of my personal websites on .mac. i will say however that i don't use the finder's idisk implementation nor do i manage the input/output of my files on the web. i just ftp into my idisk and then deal with the interface afterwards. ftp is much faster than the native interface. but i do find idisk to be really convenient in my particular case.

Re:How many people actually use iDisk? (0)

Anonymous Coward | more than 6 years ago | (#21715760)

IIRC, iDisk doesn't support FTP. There's been major gripes about this for years. Surely you mean another WebDAV client? Or have they actually added FTP support?

Apple Browser Cache . . . (1)

Tanman (90298) | more than 6 years ago | (#21715304)

. . . It just *works*

A question for fanboys (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21715330)

This seems like a minor security flaw via bad interface design, and podcaster Klaatu (of thebadapples.info) posted this on the discussion.apple.com site, only to have his post removed by Apple.

Can you imagine (or can you prove that) Microsoft has ever done anything like that? So who's really evil? Apple or MS?

The Cult of the Mac (1, Troll)

urcreepyneighbor (1171755) | more than 6 years ago | (#21715398)

If you suppress bad news, it doesn't exist!

Re:The Cult of the Mac (1)

DigitAl56K (805623) | more than 6 years ago | (#21715708)

Oh the irony, I wish I could mod the guy who modded you -1 Troll +1 Funny!

Flaw? (0)

Anonymous Coward | more than 6 years ago | (#21715414)

Just another flaw to go alongside the "reliability flaw" and "value-for-money flaw".

Apple stealing from MS? (0, Flamebait)

dotancohen (1015143) | more than 6 years ago | (#21715416)

First, Apple, stole the syntax from MS. Now they're implementing unsafe computing practices. What next, EEE?

Wait, what?? (4, Interesting)

Khyber (864651) | more than 6 years ago | (#21715432)

No SSH session for transmission of personal data, and reliable logout for protection? Insane security practice from a now UNIX-certified OS vendor, especially when it comes to something so private as the transfer of one's hard disk contents to an internet backup? Ah well, it was bound to happen, and it has probably happened in the past, and will likely happen again in the future. Anyone can slip up.

You are a heretic, sir! (4, Funny)

Quiet_Desperation (858215) | more than 6 years ago | (#21715512)

Anyone can slip up.

Ah, but this is Slashdot, where corporations are composed of primordial evil and capitalism is the beefy fart of the Devil. Every slip up is cause for running to the hills to prepare revolutionary strikes, and then run to the other hills and plan counter-revolutionary terror, and we all run around like decapitated chickens shouting comforting mantras like "Information wants to be free!" and "It am teh suk!"

Oh noes! (-1, Troll)

Quiet_Desperation (858215) | more than 6 years ago | (#21715484)

It be teh end of the fooking world!!!!!

Slow news day, guys? A .Mac issue? I mean... seriously? And this is from a .Mac user.

Oooo! His post got deleted! CONSPIRACY! There's EVEIL afoot!

And did it really? Is there backup for that claim? Call the FBI! Call CSI - Cupertino!

The level of panic over trivialities on Slashdot recent years is astonish, but amusing. :-)

Ah well, mod me down now. It's your way.

Re:Oh noes! (0)

Anonymous Coward | more than 6 years ago | (#21716018)

How much are your bosses at Apple giving you for this as a bonus?

My testing (0)

Twid (67847) | more than 6 years ago | (#21715550)

This story is stupid.

Step 1: Log into .Mac at mac.com - notice big LOG OUT text button on the top right
Step 2: Click to go to my iDisk - iDisk pops up in a new window
Step 3: Finish using iDisk, close window
Step 4: Click the big LOG OUT text button

dotMac also times out after 30 minutes and forces a re-authentication.

In other news, your computer is broadcasting an IP Address RIGHT NOW.

Re:My testing (3, Informative)

makomk (752139) | more than 6 years ago | (#21715690)

According to this post [slashdot.org] , signing out of .Mac doesn't actually sign you out of the iDisk.

Re:My testing (3, Informative)

prockcore (543967) | more than 6 years ago | (#21715694)

Step 5. Notice that clicking the big LOG OUT button doesn't affect iDisk.

This just in! (1)

krunk7 (748055) | more than 6 years ago | (#21715566)

If you let someone have full access to your computer, they can delete personal files and directories! News at 11!

Re:This just in! (1)

**loki969** (880141) | more than 6 years ago | (#21715780)

Nicht Genuegend! Setzen!

Go back and read TFA!

Minor issue. (1)

Anonymous Coward | more than 6 years ago | (#21715630)

Really, if the public terminal isn't configured to automatically clear the data when the person has finished there's a problem.

If they can already access your pc... (0)

Anonymous Coward | more than 6 years ago | (#21715786)

If they can already access your mac, then I think the last thing you would worry about is your .Mac account.

Browser Sessions (1)

LordLucless (582312) | more than 6 years ago | (#21715830)

I thought that session cookies died when the browser window closed - or does .Mac use URL rewriting?

An Apple a day... (1)

JAlexoi (1085785) | more than 6 years ago | (#21715856)

That's why I "like" Apple.
If you don't like something about them, it's you who is wrong.
And now, if you suspect/have proved a security flaw, you still are on the wrong side of things.

Microsoft locks you in to software, leaving hardware selection free, Apple locks you in completely. Now tell me who's worse.

iDisk data is unencrypted anyway (1)

Ma8thew (861741) | more than 6 years ago | (#21716080)

A far more pressing concern is that data is transmitted to and from your iDisk insecurely [taoofmac.com] . No one should be storing any sensitive data on their iDisk.

Apple hides the problems, or ? (1)

Teisei (1172661) | more than 6 years ago | (#21716106)

I wonder if this article is about how Apple is sweeping problems like dust, under the carpet. Sounds very Microsoft'ish. However, it's also very likely that Apple really takes care of those problems, but I don't understand why to hide them as if they didn't exist at all.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>