kiddico 320 days ago [-]
I find it interesting how many of those are attributed to project zero members
Gys 320 days ago [-]
Good to know that at least Google is very concerned with MacOS security ;-)
ninkendo 320 days ago [-]
A sizable percentage of their employees use macs, so it's not surprising.
digi_owl 320 days ago [-]
And the impression i have is that the pixel products are in part an attempt at getting them to dogfood Google's own stuff.
euyyn 320 days ago [-]
I can't think of any Google product that isn't dogfooded by Googlers, to be frank.
radley 320 days ago [-]
When I attended Google IO a couple of years back, I was surprised how many Android team members were using iPhones.
tajen 320 days ago [-]
Well if they want security, Android has only been half serious since 6 (entire systematic disk encryption, half-serious permissions...).
euyyn 320 days ago [-]
I've had a corporate Android phone since Ice-Cream Sandwich. I assume people that started before me used earlier versions too.
finchisko 320 days ago [-]
Maybe they want to have their enemy close. :D
ratsimihah 319 days ago [-]
<insert tsun zu quote here>
tzakrajs 320 days ago [-]
Adsense? I don't remember seeing internal advertisements powered by Adsense. :P
discreditable 320 days ago [-]
This made me imagine Googlers annoucing donuts in meeting room x to others via adsense.
mtgx 320 days ago [-]
I think part of the reason why Google even decided to make its own phones is because of security. If you read about their BeyondCorp enterprise security architecture, it emphasizes smartphone security quite a bit and how devices without timely updates, for instance, will be banned from the network (Google's own internal network that is).

Given how bad most Android OEMs are at keeping their devices up to date, Google didn't have much of a choice, other than relying on iPhones, too, for its internal security.

Cyberdog 320 days ago [-]
> I think part of the reason why Google even decided to make its own phones is because of security.

Huh. I think the main reason some people (myself included) go out of their way to avoid Google products as much as possible is because of security.

__jal 320 days ago [-]
Google's security != your security.

I do trust Google to "get security right"[1]. I just don't trust them to secure things I don't want to share with them. Which happens to be a huge percentage of data on and generated by my phone.

[1] In the colloquial sense that people tend to use that phrase.

8ytecoder 320 days ago [-]
Do you mean privacy? I don't have issues with Google's handling of security.
jageen 320 days ago [-]
syrrim 320 days ago [-]
That's privacy (ie google collects your data), not security (some random hacker collects your data).
yoz-y 320 days ago [-]
There is a link albeit not a first order one. If your privacy gets invaded enough, then random third parties will get your data (legally, from google) and then some random hacker will collect it.
tpush 320 days ago [-]
Why wouldn't they use their Nexuses? They even push the updates out themselves.
Xorlev 320 days ago [-]
Not everyone has a Nexus or Pixel. It's BYOD except for Corp phones.
tpush 320 days ago [-]
I was responding to this: "Given how bad most Android OEMs are at keeping their devices up to date, Google didn't have much of a choice, other than relying on iPhones, too, for its internal security."

My question was why Google would be relying on iPhones when they could just use Nexuses(then) or Pixels(now), since they are pushing their own updates (especially security).

shouldgowork 320 days ago [-]
Happens at FB (more or less). Employees get ad credits, because it's an incredibly important part of the platform.
kiddico 320 days ago [-]
well somebody's got to do it
arubberduck 320 days ago [-]
Google has long been Apple's security division. Often I wonder if Apple has any security people at all. The last Safari update had 11 CVEs from Google. Most of Apple's updates credit one or more issues to Google, and often Apple credits OSS-Fuzz, which is also a Google project.
sigmar 320 days ago [-]
>Often I wonder if Apple has any security people at all.

It just feels like they don't since they don't let their security people have social media presences. For example, their recent hire Jonathan Zdziarski

saagarjha 320 days ago [-]
It looks like you were cut off there…
NamTaf 320 days ago [-]
No, reread it as "For example, [consider] their recent hire Jonathan Zdziarski[, whom you'll see is a leading iOS security researcher from a cursory Google search]"

The GP just omitted a bunch of implied statement, which isn't immediately obvious especially if you don't natively speak English.

giancarlostoro 320 days ago [-]
He forgot a period at the end, so it does look like he got cut off potentially.
dep_b 320 days ago [-]
You don't credit internal employees in this way. These bugs were reported through official channels.
forgot-my-pw 320 days ago [-]
Security Update 2017-001 was released November 29, 2017:

Does it mean it's the first security update of the year? :(

dep_b 320 days ago [-]
No, just for this OS
forgot-my-pw 318 days ago [-]
High Sierra was released in June 2017. So that's still 6+ months without security patches. Not sure if that's a great track record or poor patching planning?
reacharavindh 320 days ago [-]
Just let my Mac take in this update, now sitting in front of it watching it say

“About 3 minutes remaining”

And then jump to

“About 29 minutes remaining” :-( The price I pay for being dumb to let it update during the work day. OSX is starting to feel more like the old Windows....

orionblastar 320 days ago [-]
I respect people who choose Macs and MacOS but there are reasons why I use Linux Mint and other versions of GNU/Linux.
dav43 320 days ago [-]
Isn’t it ever! The install update now or remind later notifications is classic Windows UI.
MiddleEndian 319 days ago [-]
OS X through around 10.4 would run most updates in the background and you could restart later at your own leisure. It was fantastic back then.
misterdata 320 days ago [-]
And what time did it actually take in the end?
ungzd 320 days ago [-]
For me, about a hour and 2 (or 3?) reboots. And this is minor version update that consists only in bugfixes. I don't understand why overwritting few megabytes of files takes so long time and requires multiple reboots.
reacharavindh 320 days ago [-]
I'd say between 15 to 20 minutes.
mbesto 320 days ago [-]
Lemme guess - your fan is buzzing too?
nikanj 320 days ago [-]
From a cursory glimpse, it seems Apple only pathes CVEs in OSS components when the OS itself gets an upgrade.

The next time there is a problem in Apache, the chances seem pretty high it will remain unpatched on macOS for weeks, if not months.

btgeekboy 320 days ago [-]
Apple sometimes distributes separate security updates, depending on the severity of the issue.
simlevesque 320 days ago [-]
Why does macOS ship with Apache ?
tjohns 320 days ago [-]
Before Mountain Lion, a personal web server was available under System Preferences > Sharing > Web Sharing.

They removed the UI to enable it in Mountain Lion, but the functionality is still built in and can be enabled if you install Apple's MacOS Server app from the app store. Or you can just enable it from the command line.

Waterluvian 320 days ago [-]
It was a really nice idea. I wonder how often it got used. I think it was a conceptual relic of the [Jeff Goldblum era]( of iMacs with instant Internet and personal webpages.
tomc1985 320 days ago [-]
The "Jeff Goldblum" era is still alive, just not in the minds of people trying to sell cloud-based alternatives
coldtea 320 days ago [-]
When people say "alive" in casual conversation, they mean alive for larger amounts of people than statistical noise...
tomc1985 319 days ago [-]
I suppose that could be an insult, if you were actually right
_sdegutis 320 days ago [-]
No, personal web pages have been replaced with Facebook accounts. Nobody wants or needs a website to show off photos and videos and personal updates anymore.
veidr 320 days ago [-]
They do if they don’t want their photos of their kids plastered with ads for fart apps and other unsavory garbage, though...
_sdegutis 319 days ago [-]
But nobody in the target audience will visit it, because it's some random website and not a Facebook page. So what good is a website that's never visited?
amatecha 320 days ago [-]
heh, remember when you could actually host your own website from your home connection on port 80? Dynamic DNS services, etc... ISPs put a quick end to that, though :(
__david__ 320 days ago [-]
Not really. I still host a number of sites on my home linux box.
ungzd 319 days ago [-]
Nowadays you need PAAS cloud hosting with Kubernetes on at least 3 servers, monitoring SAAS, log storage SAAS, CI for js transpilers, CDN for assets, Cloudflare, SSL certificate, checklist for PWA compliance, UX guidelines, AMP, OpenGraph metadata. Because best practices!
rodgerd 320 days ago [-]
I... still do?

This is more about ISPs where you live than anything else. Most people don't want the hassle.

amatecha 319 days ago [-]
Yeah, guess it varies, but a lot of ISPs block incoming port 80 connections. Common enough that has a "port redirection" feature, interestingly enough:
rcarmo 320 days ago [-]
It used to be the basis for personal web pages, and deployable to via iWeb, the “easy” web authoring tool that baked text into images...

Also, the server variants ran most services (calendars, etc.) behind it.

Edit: premature posting.

thought_alarm 320 days ago [-]
I assume it's so that I can run Bugzilla on my laptop.
nvr219 320 days ago [-]
Right, I feel like anyone who would need apache on MacOS would know how to install it...
Prontiol 320 days ago [-]
AFAIK macOS built in Apache is not started by default, so it is not a security risk anyway
domenukk 320 days ago [-]
That's a strange way to look at things. You could argue the computer doesn't come started by default so it's not a security risk... If there's an option to start it, it's a risk.
mariusmg 320 days ago [-]
Yeah, they should sell those Macs without a start button. That should keep them secure :)
jason_slack 320 days ago [-]
I was hoping this would fix my "Month 13 is out of bounds" error. It doesn't I still have apps I cannot run now because of this. Looks like it is time to back everything up and wipe my disk back to 10.13 with no other updates.
p49k 320 days ago [-]
Wow, thanks for mentioning this. My Mac has been freezing when opening tons of apps lately, making it basically useless, and I couldn’t figure out what was wrong until I checked this. I never would have guessed it was a core OS issue. What a ridiculous bug to not patch immediately.

Apparently you can at least mitigate it partly by disabling ReportCrash.

jason_slack 320 days ago [-]
Can you share how to do this? Anything I can try to be able to launch some of my critical apps might help.

Edit: for those who are curious:

NightMKoder 320 days ago [-]
Here’s an ok description if folks (like me) are curious: .
jason_slack 320 days ago [-]
Nothing seems to help me in this article. Thanks for posting it. The more we know the better.
minusf 319 days ago [-]
no, not fixed and joined by MirrorDisplays:[1] ( Service only ran for 0 seconds. Pushing respawn out by 10 seconds.

sccxy 320 days ago [-]
How to update when App Store is not working?

> The operation couldn’t be completed. (NSURLErrorDomain error -1012.)

Same error is shown on terminal too.

jchb 320 days ago [-]
Do you have any antivirus or (shady) anti-malware software installed? Not necessarily the problem, but it wouldn't be the first time..
sccxy 320 days ago [-]
No. Last successful update was just before this root bug.
320 days ago [-]
tachion 320 days ago [-]
Try and grab yourself a combo update file and apply it to your system.
sccxy 319 days ago [-]
Unable to install from combo update file.

macOS 10.13.2. Update can't be installed on this disk. In order to upgrade to newer version of macOS High Sierra on this disk, please see the instructions here [].

Looks like only way out is reinstall of macOS.

Macbook Air 2013

pjmlp 320 days ago [-]
Maybe Apple should hire a few more of those mythical C developers that never make mistakes.

3 x out of bounds errors

6 x memory corruption issues

numerlo 320 days ago [-]
People are reporting problems on Reddit with the update. Anybody here tried it yet?
celias 320 days ago [-]
It took several minutes on a couple of Macs with fusion drives. It seemed stuck at "Calculating time remaining..." but eventually finished, rebooted, and continued installing, this time displaying a reasonable time remaining value.
ams6110 320 days ago [-]
I had this problem with the last Sierra update. Have not pulled the trigger on High Sierra yet.
robin_reala 320 days ago [-]
Yep, no problems (on a 2012 Air). Doesn’t seem to have fixed the Month 13 problem though…
finchisko 319 days ago [-]
No problem on Air 2012. Upgrade took shorter time than my shower. :D
joemaller1 320 days ago [-]
Direct download link from Apple Support:
319 days ago [-]
iagooar 320 days ago [-]
> Description: A logic error existed in the validation of credentials.

No shit! No one thought of that... Come on, for writing this, you better don't write anything at all...

postit 320 days ago [-]
I find it interesting that the most notable names from P0 team aren't native US citizens.

Even with dual citizenship they won't get clearance easily to work for NSA.

lisper 320 days ago [-]
How on earth can you tell if someone is a native citizen from their name?

And what difference does it make if they're native or naturalized? One of the bedrock principles of American democracy is (or at least is supposed to be) that a citizen is a citizen. There's a reason that the phrase "second-class citizen" is supposed to have universally pejorative connotations.

nl 320 days ago [-]
bedrock principles of American democracy

Clearances aren't democratic (nor should they be).

No idea how they can tell citizen status from the name, though. I thought the US was made up of people form all over earth with all kinds of backgrounds so one couldn't tell from their name.

komali2 320 days ago [-]
He's not wrong about it being more difficult for people with dual citizenship to get security clearance, though. At least in that sense you can be a "second class citizen."
lisper 320 days ago [-]
I'm a naturalized U.S. citizen with a dual citizenship, and I had no trouble (well, no more than the usual trouble) getting a security clearance.

But what does any of this have to do with anything anyway? The linked-to page doesn't mention the NSA, P0 team, or security clearances.

walshemj 320 days ago [-]
Might be hard for 1st gen citizens when I started work late 10's in the UK all 4 grandparents had to be Uk Nationals.
postit 320 days ago [-]
First:, I used notable names instead of notable persons. If that caused a confusion or misunderstanding to the point you believe I was segregating or second classing anyone, pardon me.

Second: My intent was to reply to Kiddico's message which says "I find it interesting how many of those are attributed to project zero members" That's the relation of p0 with my reply

Third: Ben Hawkes(NZ), Tavis Ormandy(UK), Ian Beer(UK) and Matt Tate(UK) are often credited as notable members of the project zero team.

summer_steven 320 days ago [-]
>How on earth can you tell if someone is a native citizen from their name?

Why are you playing dumb? He's clearly talking about someone with clearly foreign name, not someone from Canada.

I'm sick of people acting willfully ignorant in their arguments

Someone 320 days ago [-]
Clearly foreign, like Bezos, Obama, or Wozniak?
orionblastar 320 days ago [-]
We need immigration to have foreigners come here, make stsrtups, grow our economy, and create jobs.

The student visa should lead to a green card. Since it does not immigrants go back to their home nation and do startups there.

Not to be political, but Trump does not get that yet.

summer_steven 320 days ago [-]
And those are exceptions to the norm.

Look at the census of the 100 most common American names, they're either traditional American names or Spanish names from those who immigrated here over the last 50 years.

phaemon 320 days ago [-]
Those top 100 names total 50 million people, out of a total US population of 250 million (at time of 1990 census).

That means that 80% of the US population has a surname other than those on that list. Assuming that 80% of the US poplulation are "foreign" because they aren't in the top 100 most common surnames, seems rather foolish.

DRW_ 320 days ago [-]
A lot of those look like traditional British names (also foreign).
asveikau 320 days ago [-]
Just want to repeat what lisper said, and even more emphatically as this is personal to me, you cannot tell a native US citizen from their name. I myself have an 11 character surname from the Baltic States. I was born in Washington DC.

What exactly is a native born American name to you? English origin? German? I honestly think you should be ashamed of what you wrote. It's deeply offensive to those of us with roots in other places.

cortesoft 320 days ago [-]
I have no idea if this is the case, but it could also be possible that the person you are replying to actually knows of the people listed. He might not be basing his observation on the names themselves.
asveikau 320 days ago [-]
I have encountered too many similar comments to believe that is the case.
postit 320 days ago [-]
Please see my reply to lisper
summer_steven 320 days ago [-]
> I myself have an 11 character surname from the Baltic States.

What exactly is a Baltic surname to you? Russian origin? German? I honestly think you should be ashamed of what you wrote. It's deeply offensive to those of us with roots in other places.

asveikau 320 days ago [-]
It's neither Russian nor German. Baltic is a linguistic category on its own. Specifically Lithuanian in my case. Latvian is related. There were also Baltic language speakers in Prussia before it became majority German speaking.

"Surname from the Baltic States" implies linguistic precision and specificity that "surname from the United States" does not convey and is in no means equivalent to. There is some vagueness in what I said but I left it there intentionally, people don't get crazy specific about personal details here usually. I was meaning to say I have a "foreign" surname.

summer_steven 320 days ago [-]
Your wrong about their being no traditional American. A traditional United States surname is generally English, Scottish, or Welsh as those were the primary people living in the United States from 1550-1850.

For instance, I remember from History class that there were atleast 3 famous guys from the 1700s named "John Smith"

asveikau 320 days ago [-]
You're wrong about the history of the United States. Dutch New Yorkers. Germans in Pennsylvania. (German is the predominant ethnicity of white Americans by the way.) French in Maryland. Lots of land purchased from French and robbed from Spaniards. And I didn't even mention the native peoples... All of these groups exist in significant numbers before the 1800s.

Since you're interested in around 1850, around there starts immigration from places like Ireland, Italy, Poland.. even a few Baltic people.

abrowne 320 days ago [-]
> robbed from Spaniards

They were Mexican by that point, right?

asveikau 320 days ago [-]
Depends where you are talking about. In the southwest or the west coast yes. I was thinking of Florida though, which was earlier. Though as I look that up maybe "robbed" is not the right word.

Then of course much later there was the war with Spain which resulted in caribbean US territories... This is becoming a big tangent though.

summer_steven 320 days ago [-]
Here's a list of the top 100 American surnames. The majority of them are British/Scottish/Welsh:

No matter what you think, the British Isles are the ones who populated the country.

asveikau 320 days ago [-]
No matter what you think, white Americans are mostly German. Here is the top hit when I googled that:

"German-Americans are America’s largest single ethnic group .... In 2013, according to the Census bureau, 46m Americans claimed German ancestry: more than the number who traced their roots to Ireland (33m) or England (25m). "

dragonwriter 319 days ago [-]
> Here's a list of the top 100 American surnames. The majority of them are British/Scottish/Welsh

Lots of people of other origins adopted English surnames because the British were the dominant early group, and then later people with British names were, even though not always of British descent.

So, now, sure, British surnames are dominant, but that's often not indicative of British descent.

abrowne 319 days ago [-]
People often adopted English surnames or Anglicized their names, especially around WWI (also when the huge number of German language newspapers mostly closed and even towns named after German places were renamed).
dragonwriter 320 days ago [-]
> I find it interesting that the most notable names from P0 team aren't native US citizens.

How do you know?

> Even with dual citizenship they won't get clearance easily to work for NSA.

Not being a native citizen doesn't mean you are a dual citizen; those are orthogonal concepts. Dual citizenship are frequently native-born (having citizenship-by-birth in more than one country is a common route to dual citizenship) and naturalized citizens often do not retain foreign citizenship (they formally must renounce it, but some countries don't automatically—or ever—give effect to such renunciation.)

komali2 320 days ago [-]
Huh. What kind of computers are they using over at the NSA, anyway? What about their laptops?
robertdalke 320 days ago [-]
i hired a professional hacker to hack into incoming messages of my husband cell phone and send outgoing messages as if my phone were the original. firstly, he's very picky with his job so to tell him clarke referred you. he hacked into my husband cell phone within specific hours and did the job perfectly. He offers legit services such as phone cloning, clear criminal record, whatsapp account, facebook account, fixes credit score. His charges are affordable and reliable, if you are in need of services relating to hacking, contact him via address below... Email: cyberwizardhack at gmail dot com Whatsapp no:+1 317 794 1276
johansch 320 days ago [-]
This is their way of saying: upgrade from Sierra to the seemingly still supremely buggy High Sierra or you'll get owned?

Gee, thanks.

nautilus12 320 days ago [-]
Long time mac user, versed in Linux but have been using Mac for its "convenience" for years: Upgraded to high sierra, and my power modes started working totally irrationally with seemingly no explanation. When I closed the lid it suddenly started going crazy and nearly burnt a hole in my desk. I think it burnt out the logic board in this way, the GPU and kernel started panicking after 2 minutes running. When turned off it would turn itself on and go into this crazy hyper swap mode, the box when I was shipping it to applecare seemed like it would catch on fire. Had to keep using SMC shutdown to get it to turn off. I dont know if the issue was High Sierra, macbook pro 2016 (which are total crap in my opinion why in the world would you hardwire the hard drive into the logic board??), or both, but it suffices to say I'm buying a Thinkpad, and Im only using Ubuntu on it.
chisleu 320 days ago [-]
Make sure it is a new Intel CPU too so you can't get power management to work there either. #skylakeWasFun
jezfromfuture 320 days ago [-]
Your an idiot
jrochkind1 320 days ago [-]
If I'm reading it right, all those patches are also available for Sierra 10.12.6 and El Capitan 10.11.6 (and will presumably be delivered by an update there), except for the ones that say don't apply to Sierra 10.12.6 (the vulnerability doesn't exist there).


> macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6


> Available for: macOS High Sierra 10.13 and macOS High Sierra 10.13.1

> Not impacted: macOS Sierra 10.12.6 and earlier

320 days ago [-]
erikcs 320 days ago [-]
Most of the CVEs are fixed in Sierra and El Capitan as well.
kevinherron 320 days ago [-]
Yep... installed the Sierra security update this morning.