[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DirectoryService startup problems

Subject: Re: DirectoryService startup problems
From: Matt Burnett <email@hidden>
Date: Mon, 03 May 2004 09:07:53 -0500
User-agent: Microsoft-Entourage/10.1.4.030702.0

> On 28 Apr 2004, at 21:27, Michael Bartosh wrote:
>
>> At 12:57 PM -0500 4/28/04, Matt Burnett wrote:
>>> Besides that back in the public beta or 10.0 days I emailed apple
>>> product
>>> security that you could get the ciphertext passwords as any user by
>>> repeatedly calling getpwent().
>>
>> Oh come on like Apple wasn't aware of that ? How can they give credit
>> to the many thousands of people that knew crypt() hashes were stored
>> in NetInfo
>
> The fact that NetInfo didn't shadow the passwords was a known issue
> since the mid-90s or earlier, AFAIK, so even if you discovered it
> around public beta or 10.0 days you certainly weren't the first.
I wish people would have fully quoted me, on this list and in private people
have said I wasn9t the first. I did include "and im sure others did too". I
was simply saying apple should have given credit to the first person who
reported it.

>
> On 28 Apr 2004, at 21:36, Matt Burnett wrote:
>
>> Yeah I realize I probably didn9t phrase my message as well as I could
>> have.
>> Im not trying to blame the engineer who actually develops
>> SecurityServer, I
>> know first hand how easy it is to make a mistake like that, but
>> instead am
>> somewhat blaming Apple Product Security and mostly Apple's corperate
>> culture.
>
> Apple does suffer from a lot of problems associated with being a large
> company, yes, and there is a lot of beaurocracy involved with that. And
> yes, it can be extremely frustrating trying to make yourself heard if
> you don't know exactly who to talk to or what to do. However, if you
> can find real people to talk to, they are on the whole extremely
> helpful and genuinely interested in what people have to say. The
> mailing lists are great for that.
Yeah its just hard trying to find the people. Emails I send to apple seem to
get ignored, or it takes 2 weeks to get a reply, that9s why I liked calling
them.

>> The fix was one or two lines of code, just to check if a value was
>> 0xFFFFFFFF, and I could have patched it if SecurityServer was 100% open
>> source. I wrote a quick patch to fix it but when I tried to compile I
>> realized there were some missing headers (for fft encryption I belive)
>> and
>> possibly other files as well.
>
> This is a major issue with Apple's attempt to develop open-source
> software within a closed-source environment. Things break because
> people inside Apple don't regularly try and build stuff in a clean
> environment, so you'll end up with dependencies on closed-source stuff
> sneaking in. SecurityServer *is* 100% open-source. If it doesn't build,
> poke someone. If there's something seemingly missing, poke one of
> Apple's opensource people (kvv is probably your best bet these days)
> and they can hunt it down and figure out w!hat's gone wrong from the
> inside. Or send an e-mail to one of the lists.
>
A while back I googled the issue and was reading on some list (at MIT I
think) that there were some ciphers that security server needed that apple
hadnt made opensource yet due to patent issues.

>> I don9t think apple was really trying to steal
>> stuff from me, but that they care a lot more about you if you have a
>> domain
>> name they recongize rather than just being some guy.
>
> It's probably more likely that they just have an established
> relationship with the security companies that they are in contact with
> on a regular basis. You already said that you phoned it in, which is a
> bit weird and probably not the advised thing to do. It sounds like you
> filed a radar, in which case that likely went directly to the engineers
> responsible and bypassed the security department entirely, so they
> probably didn't know you were responsible at all.
>
Apple listed a phone number on their product security page to specificly
call in security issues. Apparently who ever put that up there was smoking
something, as I found out when apple product security emailed me back. Yeah
ADC told me to file a radar. Doesn9t radar list the account info for whoever
reported it? Isnt that the reason they force us to login or do I need to
drink more coffee?

>> I don9t think that I
>> wasn9t the first to discover it, if I wasn9t I doubt apple product
>> security
>> would have contacted me after I released advisory. Im simply annoyed
>> they
>> give credit to others and not me, even after I complained about the
>> missing
>> credit (yeah I know im sounding like a broken record).
>
> I just thought I'd take this opportunity to point out that your e-mail
> client is a bit broken and I'm getting a "9" instead of an apostrophe.
Yeah I noticed that...grr.

>
> -- Finlay
_______________________________________________
darwin-development mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/darwin-development
Do not post admin requests to the list. They will be ignored.

Prev by Date: Re: Porting from Linux, plug-ins that depend on other plug-ins
Next by Date: Re: Porting from Linux, plug-ins that depend on other plug-ins
Previous by thread: Re: Continuing Linux Porting issues
Next by thread: Non-virtual thunk on optimized builds?
Index(es):
- Date
- Thread

Home