kiddico 12 days ago [-]
I find it interesting how many of those are attributed to project zero members
Gys 12 days ago [-]
Good to know that at least Google is very concerned with MacOS security ;-)
ninkendo 12 days ago [-]
A sizable percentage of their employees use macs, so it's not surprising.
digi_owl 12 days ago [-]
And the impression i have is that the pixel products are in part an attempt at getting them to dogfood Google's own stuff.
euyyn 12 days ago [-]
I can't think of any Google product that isn't dogfooded by Googlers, to be frank.
radley 12 days ago [-]
When I attended Google IO a couple of years back, I was surprised how many Android team members were using iPhones.
tajen 12 days ago [-]
Well if they want security, Android has only been half serious since 6 (entire systematic disk encryption, half-serious permissions...).
euyyn 11 days ago [-]
I've had a corporate Android phone since Ice-Cream Sandwich. I assume people that started before me used earlier versions too.
finchisko 11 days ago [-]
Maybe they want to have their enemy close. :D
ratsimihah 11 days ago [-]
<insert tsun zu quote here>
tzakrajs 12 days ago [-]
Adsense? I don't remember seeing internal advertisements powered by Adsense. :P
discreditable 12 days ago [-]
This made me imagine Googlers annoucing donuts in meeting room x to others via adsense.
mtgx 12 days ago [-]
I think part of the reason why Google even decided to make its own phones is because of security. If you read about their BeyondCorp enterprise security architecture, it emphasizes smartphone security quite a bit and how devices without timely updates, for instance, will be banned from the network (Google's own internal network that is).

Given how bad most Android OEMs are at keeping their devices up to date, Google didn't have much of a choice, other than relying on iPhones, too, for its internal security.

https://cloud.google.com/beyondcorp/

Cyberdog 12 days ago [-]
> I think part of the reason why Google even decided to make its own phones is because of security.

Huh. I think the main reason some people (myself included) go out of their way to avoid Google products as much as possible is because of security.

__jal 12 days ago [-]
Google's security != your security.

I do trust Google to "get security right"[1]. I just don't trust them to secure things I don't want to share with them. Which happens to be a huge percentage of data on and generated by my phone.

[1] In the colloquial sense that people tend to use that phrase.

8ytecoder 12 days ago [-]
Do you mean privacy? I don't have issues with Google's handling of security.
jageen 12 days ago [-]
syrrim 11 days ago [-]
That's privacy (ie google collects your data), not security (some random hacker collects your data).
yoz-y 11 days ago [-]
There is a link albeit not a first order one. If your privacy gets invaded enough, then random third parties will get your data (legally, from google) and then some random hacker will collect it.
tpush 12 days ago [-]
Why wouldn't they use their Nexuses? They even push the updates out themselves.
Xorlev 12 days ago [-]
Not everyone has a Nexus or Pixel. It's BYOD except for Corp phones.
tpush 12 days ago [-]
I was responding to this: "Given how bad most Android OEMs are at keeping their devices up to date, Google didn't have much of a choice, other than relying on iPhones, too, for its internal security."

My question was why Google would be relying on iPhones when they could just use Nexuses(then) or Pixels(now), since they are pushing their own updates (especially security).

shouldgowork 12 days ago [-]
Happens at FB (more or less). Employees get ad credits, because it's an incredibly important part of the platform.
kiddico 12 days ago [-]
well somebody's got to do it
arubberduck 12 days ago [-]
Google has long been Apple's security division. Often I wonder if Apple has any security people at all. The last Safari update had 11 CVEs from Google. Most of Apple's updates credit one or more issues to Google, and often Apple credits OSS-Fuzz, which is also a Google project.
sigmar 12 days ago [-]
>Often I wonder if Apple has any security people at all.

It just feels like they don't since they don't let their security people have social media presences. For example, their recent hire Jonathan Zdziarski

saagarjha 12 days ago [-]
It looks like you were cut off there…
NamTaf 11 days ago [-]
No, reread it as "For example, [consider] their recent hire Jonathan Zdziarski[, whom you'll see is a leading iOS security researcher from a cursory Google search]"

The GP just omitted a bunch of implied statement, which isn't immediately obvious especially if you don't natively speak English.

giancarlostoro 11 days ago [-]
He forgot a period at the end, so it does look like he got cut off potentially.
dep_b 12 days ago [-]
You don't credit internal employees in this way. These bugs were reported through official channels.
forgot-my-pw 12 days ago [-]
Security Update 2017-001 was released November 29, 2017: https://support.apple.com/en-ca/HT208315

Does it mean it's the first security update of the year? :(

dep_b 12 days ago [-]
No, just for this OS
forgot-my-pw 10 days ago [-]
High Sierra was released in June 2017. So that's still 6+ months without security patches. Not sure if that's a great track record or poor patching planning?
reacharavindh 11 days ago [-]
Just let my Mac take in this update, now sitting in front of it watching it say

“About 3 minutes remaining”

And then jump to

“About 29 minutes remaining” :-( The price I pay for being dumb to let it update during the work day. OSX is starting to feel more like the old Windows....

orionblastar 11 days ago [-]
I respect people who choose Macs and MacOS but there are reasons why I use Linux Mint and other versions of GNU/Linux.
dav43 11 days ago [-]
Isn’t it ever! The install update now or remind later notifications is classic Windows UI.
MiddleEndian 11 days ago [-]
OS X through around 10.4 would run most updates in the background and you could restart later at your own leisure. It was fantastic back then.
misterdata 11 days ago [-]
And what time did it actually take in the end?
ungzd 11 days ago [-]
For me, about a hour and 2 (or 3?) reboots. And this is minor version update that consists only in bugfixes. I don't understand why overwritting few megabytes of files takes so long time and requires multiple reboots.
reacharavindh 11 days ago [-]
I'd say between 15 to 20 minutes.
mbesto 11 days ago [-]
Lemme guess - your fan is buzzing too?
nikanj 12 days ago [-]
From a cursory glimpse, it seems Apple only pathes CVEs in OSS components when the OS itself gets an upgrade.

The next time there is a problem in Apache, the chances seem pretty high it will remain unpatched on macOS for weeks, if not months.

btgeekboy 12 days ago [-]
Apple sometimes distributes separate security updates, depending on the severity of the issue.
simlevesque 12 days ago [-]
Why does macOS ship with Apache ?
tjohns 12 days ago [-]
Before Mountain Lion, a personal web server was available under System Preferences > Sharing > Web Sharing.

They removed the UI to enable it in Mountain Lion, but the functionality is still built in and can be enabled if you install Apple's MacOS Server app from the app store. Or you can just enable it from the command line.

Waterluvian 12 days ago [-]
It was a really nice idea. I wonder how often it got used. I think it was a conceptual relic of the [Jeff Goldblum era](https://www.youtube.com/watch?v=dQmK1CnwOUI) of iMacs with instant Internet and personal webpages.
tomc1985 12 days ago [-]
The "Jeff Goldblum" era is still alive, just not in the minds of people trying to sell cloud-based alternatives
coldtea 12 days ago [-]
When people say "alive" in casual conversation, they mean alive for larger amounts of people than statistical noise...
tomc1985 11 days ago [-]
I suppose that could be an insult, if you were actually right
_sdegutis 12 days ago [-]
No, personal web pages have been replaced with Facebook accounts. Nobody wants or needs a website to show off photos and videos and personal updates anymore.
veidr 12 days ago [-]
They do if they don’t want their photos of their kids plastered with ads for fart apps and other unsavory garbage, though...
_sdegutis 11 days ago [-]
But nobody in the target audience will visit it, because it's some random website and not a Facebook page. So what good is a website that's never visited?
amatecha 12 days ago [-]
heh, remember when you could actually host your own website from your home connection on port 80? Dynamic DNS services, etc... ISPs put a quick end to that, though :(
__david__ 12 days ago [-]
Not really. I still host a number of sites on my home linux box.
ungzd 11 days ago [-]
Nowadays you need PAAS cloud hosting with Kubernetes on at least 3 servers, monitoring SAAS, log storage SAAS, CI for js transpilers, CDN for assets, Cloudflare, SSL certificate, checklist for PWA compliance, UX guidelines, AMP, OpenGraph metadata. Because best practices!
rodgerd 12 days ago [-]
I... still do?

This is more about ISPs where you live than anything else. Most people don't want the hassle.

amatecha 11 days ago [-]
Yeah, guess it varies, but a lot of ISPs block incoming port 80 connections. Common enough that noip.com has a "port redirection" feature, interestingly enough: http://www.noip.com/support/knowledgebase/my-isp-blocks-port...
rcarmo 12 days ago [-]
It used to be the basis for personal web pages, and deployable to via iWeb, the “easy” web authoring tool that baked text into images...

Also, the server variants ran most services (calendars, etc.) behind it.

Edit: premature posting.

thought_alarm 12 days ago [-]
I assume it's so that I can run Bugzilla on my laptop.
nvr219 11 days ago [-]
Right, I feel like anyone who would need apache on MacOS would know how to install it...
Prontiol 12 days ago [-]
AFAIK macOS built in Apache is not started by default, so it is not a security risk anyway
domenukk 11 days ago [-]
That's a strange way to look at things. You could argue the computer doesn't come started by default so it's not a security risk... If there's an option to start it, it's a risk.
mariusmg 11 days ago [-]
Yeah, they should sell those Macs without a start button. That should keep them secure :)
jason_slack 11 days ago [-]
I was hoping this would fix my "Month 13 is out of bounds" error. It doesn't I still have apps I cannot run now because of this. Looks like it is time to back everything up and wipe my disk back to 10.13 with no other updates.
p49k 11 days ago [-]
Wow, thanks for mentioning this. My Mac has been freezing when opening tons of apps lately, making it basically useless, and I couldn’t figure out what was wrong until I checked this. I never would have guessed it was a core OS issue. What a ridiculous bug to not patch immediately.

Apparently you can at least mitigate it partly by disabling ReportCrash.

jason_slack 11 days ago [-]
Can you share how to do this? Anything I can try to be able to launch some of my critical apps might help.

Edit: for those who are curious: https://www.gregoryvarghese.com/reportcrash-high-cpu-disable...

NightMKoder 11 days ago [-]
Here’s an ok description if folks (like me) are curious: https://robservatory.com/month-13-is-out-of-bounds/ .
jason_slack 11 days ago [-]
Nothing seems to help me in this article. Thanks for posting it. The more we know the better.
minusf 11 days ago [-]
no, not fixed and joined by MirrorDisplays:

com.apple.xpc.launchd[1] (com.apple.preference.displays.MirrorDisplays): Service only ran for 0 seconds. Pushing respawn out by 10 seconds.

sccxy 12 days ago [-]
How to update when App Store is not working?

> The operation couldn’t be completed. (NSURLErrorDomain error -1012.)

Same error is shown on terminal too.

jchb 11 days ago [-]
Do you have any antivirus or (shady) anti-malware software installed? Not necessarily the problem, but it wouldn't be the first time..
sccxy 11 days ago [-]
No. Last successful update was just before this root bug.
12 days ago [-]
tachion 12 days ago [-]
Try and grab yourself a combo update file and apply it to your system.
sccxy 10 days ago [-]
Unable to install from combo update file.

macOS 10.13.2. Update can't be installed on this disk. In order to upgrade to newer version of macOS High Sierra on this disk, please see the instructions here [https://beta.apple.com/sp/betaprogram/apfsfusion].

Looks like only way out is reinstall of macOS.

Macbook Air 2013

pjmlp 11 days ago [-]
Maybe Apple should hire a few more of those mythical C developers that never make mistakes.

3 x out of bounds errors

6 x memory corruption issues

numerlo 12 days ago [-]
People are reporting problems on Reddit https://www.reddit.com/r/apple/comments/7hzy3a/macos_10132_u... with the update. Anybody here tried it yet?
celias 12 days ago [-]
It took several minutes on a couple of Macs with fusion drives. It seemed stuck at "Calculating time remaining..." but eventually finished, rebooted, and continued installing, this time displaying a reasonable time remaining value.
ams6110 12 days ago [-]
I had this problem with the last Sierra update. Have not pulled the trigger on High Sierra yet.
robin_reala 12 days ago [-]
Yep, no problems (on a 2012 Air). Doesn’t seem to have fixed the Month 13 problem though…
finchisko 11 days ago [-]
No problem on Air 2012. Upgrade took shorter time than my shower. :D
joemaller1 12 days ago [-]
Direct download link from Apple Support: https://support.apple.com/kb/DL1946
11 days ago [-]
iagooar 12 days ago [-]
> Description: A logic error existed in the validation of credentials.

No shit! No one thought of that... Come on, for writing this, you better don't write anything at all...

postit 12 days ago [-]
I find it interesting that the most notable names from P0 team aren't native US citizens.

Even with dual citizenship they won't get clearance easily to work for NSA.

lisper 12 days ago [-]
How on earth can you tell if someone is a native citizen from their name?

And what difference does it make if they're native or naturalized? One of the bedrock principles of American democracy is (or at least is supposed to be) that a citizen is a citizen. There's a reason that the phrase "second-class citizen" is supposed to have universally pejorative connotations.

nl 12 days ago [-]
bedrock principles of American democracy

Clearances aren't democratic (nor should they be).

No idea how they can tell citizen status from the name, though. I thought the US was made up of people form all over earth with all kinds of backgrounds so one couldn't tell from their name.

komali2 12 days ago [-]
He's not wrong about it being more difficult for people with dual citizenship to get security clearance, though. At least in that sense you can be a "second class citizen."
lisper 12 days ago [-]
I'm a naturalized U.S. citizen with a dual citizenship, and I had no trouble (well, no more than the usual trouble) getting a security clearance.

But what does any of this have to do with anything anyway? The linked-to page doesn't mention the NSA, P0 team, or security clearances.

walshemj 12 days ago [-]
Might be hard for 1st gen citizens when I started work late 10's in the UK all 4 grandparents had to be Uk Nationals.
postit 12 days ago [-]
First:, I used notable names instead of notable persons. If that caused a confusion or misunderstanding to the point you believe I was segregating or second classing anyone, pardon me.

Second: My intent was to reply to Kiddico's message which says "I find it interesting how many of those are attributed to project zero members" That's the relation of p0 with my reply

Third: Ben Hawkes(NZ), Tavis Ormandy(UK), Ian Beer(UK) and Matt Tate(UK) are often credited as notable members of the project zero team.

summer_steven 12 days ago [-]
>How on earth can you tell if someone is a native citizen from their name?

Why are you playing dumb? He's clearly talking about someone with clearly foreign name, not someone from Canada.

I'm sick of people acting willfully ignorant in their arguments

Someone 12 days ago [-]
Clearly foreign, like Bezos, Obama, or Wozniak?
orionblastar 11 days ago [-]
We need immigration to have foreigners come here, make stsrtups, grow our economy, and create jobs.

The student visa should lead to a green card. Since it does not immigrants go back to their home nation and do startups there.

Not to be political, but Trump does not get that yet.

summer_steven 12 days ago [-]
And those are exceptions to the norm.

Look at the census of the 100 most common American names, they're either traditional American names or Spanish names from those who immigrated here over the last 50 years. https://www.thoughtco.com/most-common-us-surnames-1422656

phaemon 11 days ago [-]
Those top 100 names total 50 million people, out of a total US population of 250 million (at time of 1990 census).

That means that 80% of the US population has a surname other than those on that list. Assuming that 80% of the US poplulation are "foreign" because they aren't in the top 100 most common surnames, seems rather foolish.

DRW_ 11 days ago [-]
A lot of those look like traditional British names (also foreign).
asveikau 12 days ago [-]
Just want to repeat what lisper said, and even more emphatically as this is personal to me, you cannot tell a native US citizen from their name. I myself have an 11 character surname from the Baltic States. I was born in Washington DC.

What exactly is a native born American name to you? English origin? German? I honestly think you should be ashamed of what you wrote. It's deeply offensive to those of us with roots in other places.

cortesoft 12 days ago [-]
I have no idea if this is the case, but it could also be possible that the person you are replying to actually knows of the people listed. He might not be basing his observation on the names themselves.
asveikau 12 days ago [-]
I have encountered too many similar comments to believe that is the case.
postit 12 days ago [-]
Please see my reply to lisper
summer_steven 12 days ago [-]
> I myself have an 11 character surname from the Baltic States.

What exactly is a Baltic surname to you? Russian origin? German? I honestly think you should be ashamed of what you wrote. It's deeply offensive to those of us with roots in other places.

asveikau 12 days ago [-]
It's neither Russian nor German. Baltic is a linguistic category on its own. Specifically Lithuanian in my case. Latvian is related. There were also Baltic language speakers in Prussia before it became majority German speaking.

"Surname from the Baltic States" implies linguistic precision and specificity that "surname from the United States" does not convey and is in no means equivalent to. There is some vagueness in what I said but I left it there intentionally, people don't get crazy specific about personal details here usually. I was meaning to say I have a "foreign" surname.

summer_steven 12 days ago [-]
Your wrong about their being no traditional American. A traditional United States surname is generally English, Scottish, or Welsh as those were the primary people living in the United States from 1550-1850.

For instance, I remember from History class that there were atleast 3 famous guys from the 1700s named "John Smith"

asveikau 12 days ago [-]
You're wrong about the history of the United States. Dutch New Yorkers. Germans in Pennsylvania. (German is the predominant ethnicity of white Americans by the way.) French in Maryland. Lots of land purchased from French and robbed from Spaniards. And I didn't even mention the native peoples... All of these groups exist in significant numbers before the 1800s.

Since you're interested in around 1850, around there starts immigration from places like Ireland, Italy, Poland.. even a few Baltic people.

abrowne 12 days ago [-]
> robbed from Spaniards

They were Mexican by that point, right?

asveikau 11 days ago [-]
Depends where you are talking about. In the southwest or the west coast yes. I was thinking of Florida though, which was earlier. Though as I look that up maybe "robbed" is not the right word.

Then of course much later there was the war with Spain which resulted in caribbean US territories... This is becoming a big tangent though.

summer_steven 11 days ago [-]
Here's a list of the top 100 American surnames. The majority of them are British/Scottish/Welsh: https://www.ssa.gov/oact/babynames/decades/century.html

No matter what you think, the British Isles are the ones who populated the country.

asveikau 11 days ago [-]
No matter what you think, white Americans are mostly German. Here is the top hit when I googled that:

"German-Americans are America’s largest single ethnic group .... In 2013, according to the Census bureau, 46m Americans claimed German ancestry: more than the number who traced their roots to Ireland (33m) or England (25m). "

https://www.economist.com/news/united-states/21642222-americ...

dragonwriter 10 days ago [-]
> Here's a list of the top 100 American surnames. The majority of them are British/Scottish/Welsh

Lots of people of other origins adopted English surnames because the British were the dominant early group, and then later people with British names were, even though not always of British descent.

So, now, sure, British surnames are dominant, but that's often not indicative of British descent.

abrowne 10 days ago [-]
People often adopted English surnames or Anglicized their names, especially around WWI (also when the huge number of German language newspapers mostly closed and even towns named after German places were renamed).
dragonwriter 12 days ago [-]
> I find it interesting that the most notable names from P0 team aren't native US citizens.

How do you know?

> Even with dual citizenship they won't get clearance easily to work for NSA.

Not being a native citizen doesn't mean you are a dual citizen; those are orthogonal concepts. Dual citizenship are frequently native-born (having citizenship-by-birth in more than one country is a common route to dual citizenship) and naturalized citizens often do not retain foreign citizenship (they formally must renounce it, but some countries don't automatically—or ever—give effect to such renunciation.)

komali2 12 days ago [-]
Huh. What kind of computers are they using over at the NSA, anyway? What about their laptops?
robertdalke 12 days ago [-]
i hired a professional hacker to hack into incoming messages of my husband cell phone and send outgoing messages as if my phone were the original. firstly, he's very picky with his job so to tell him clarke referred you. he hacked into my husband cell phone within specific hours and did the job perfectly. He offers legit services such as phone cloning, clear criminal record, whatsapp account, facebook account, fixes credit score. His charges are affordable and reliable, if you are in need of services relating to hacking, contact him via address below... Email: cyberwizardhack at gmail dot com Whatsapp no:+1 317 794 1276
johansch 12 days ago [-]
This is their way of saying: upgrade from Sierra to the seemingly still supremely buggy High Sierra or you'll get owned?

Gee, thanks.

nautilus12 12 days ago [-]
Long time mac user, versed in Linux but have been using Mac for its "convenience" for years: Upgraded to high sierra, and my power modes started working totally irrationally with seemingly no explanation. When I closed the lid it suddenly started going crazy and nearly burnt a hole in my desk. I think it burnt out the logic board in this way, the GPU and kernel started panicking after 2 minutes running. When turned off it would turn itself on and go into this crazy hyper swap mode, the box when I was shipping it to applecare seemed like it would catch on fire. Had to keep using SMC shutdown to get it to turn off. I dont know if the issue was High Sierra, macbook pro 2016 (which are total crap in my opinion why in the world would you hardwire the hard drive into the logic board??), or both, but it suffices to say I'm buying a Thinkpad, and Im only using Ubuntu on it.
chisleu 12 days ago [-]
Make sure it is a new Intel CPU too so you can't get power management to work there either. #skylakeWasFun
jezfromfuture 12 days ago [-]
Your an idiot
jrochkind1 12 days ago [-]
If I'm reading it right, all those patches are also available for Sierra 10.12.6 and El Capitan 10.11.6 (and will presumably be delivered by an update there), except for the ones that say don't apply to Sierra 10.12.6 (the vulnerability doesn't exist there).

Eg:

> macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6

And:

> Available for: macOS High Sierra 10.13 and macOS High Sierra 10.13.1

> Not impacted: macOS Sierra 10.12.6 and earlier

12 days ago [-]
erikcs 12 days ago [-]
Most of the CVEs are fixed in Sierra and El Capitan as well.
kevinherron 12 days ago [-]
Yep... installed the Sierra security update this morning.