tag:theconversation.com,2011:/fr/topics/mac-os-12552/articlesMac OS – The Conversation2016-09-08T11:46:13Ztag:theconversation.com,2011:article/650862016-09-08T11:46:13Z2016-09-08T11:46:13ZiPhone updates charm and annoy in equal measure, but Apple leaves Mac users in the shade<p>It’s been a tough month for mobile phone manufacturers: Samsung has recalled its Galaxy Note 7 <a href="https://www.theguardian.com/technology/2016/sep/02/samsung-recall-galaxy-note-7-reports-of-smartphones-catching-fire">due to exploding batteries</a>, the European Commission has handed Apple a <a href="http://www.reuters.com/article/us-eu-apple-taxavoidance-idUSKCN114211">€13 billion fine</a> for its tax practices in Ireland, and Google has <a href="http://www.mediapost.com/publications/article/283995/google-thinks-mobile-first-unless-its-a-modular-p.html">withdrawn from the modular phone project</a> which would have allowed consumers to switch out components as and when they wanted.</p>
<p>So this year’s September Keynote product launch should offer Apple an easy opportunity to impress the market with announcements of the new iPhone 7 and iPhone 7 Plus, a slight upgrade to the watch, now called Series 2, and various software updates. But notable by its absence was any announcement related to the product that made Apple’s name: the Mac. </p>
<h2>New but familiar, the iPhone 7</h2>
<p>Apple tends to redesign the iPhone bi-annually, with alternate years offering speed bumps and minor features. This year brings major revisions, with a new design, a dual camera system that offers better zoom, higher resolution images, and the <a href="http://www.theverge.com/2016/9/8/12845984/apple-plugs-iphone-7-parody">controversial removal of the universal standard audio jack</a>. </p>
<p>The diameter of the audio jack limited designers’ ability to shrink the phone further, so its days were numbered. Instead headphones will be wireless using bluetooth, or plug into the Lightning port. Apple has of course released its own wireless Airpod headphones (RRP: US$159/£120), or those with expensive headphones can <a href="http://www.theverge.com/2016/9/7/12751058/apple-iphone-7-earbud-headphone-jack-adaptor-dongle">buy an adaptor to keep using them</a>. Dropping such a well supported standard is a typically bold Apple move, but other manufacturers have already tried it – the <a href="http://www.theverge.com/2016/6/10/11900992/moto-z-specs-no-headphone-jack">Motorola Moto Z </a> for example – with limited success.</p>
<p>The iPhone’s system software is also boosted to <a href="http://arstechnica.com/apple/2016/09/ios-10-launches-september-13-with-imessage-apps-a-siri-api-and-more/">iOS 10</a>, which makes more of the system software accessible to developers – for example Siri will be available in third-party apps. While improvements will only be felt once apps start to integrate these features, the messages and messaging experience will be improved, an attempt to counter the success of Whatsapp and Facebook messenger. This update will arrive for older devices on September 13.</p>
<h2>Watch Series 2, now waterproof</h2>
<p>The <a href="https://www.theguardian.com/technology/2016/sep/07/iphone-7-launch-apple-watch-2-gains-gps-longer-battery-life">Watch Series 2</a> follows the same cycle with major revisions every other year, bringing on this occasion a minor upgrade of faster components, a better screen, waterproofing and the new watchOS within the same shell. Significant architectural changes to watchOS should speed up applications, and brings changes to several design metaphors. Adding GPS to the watch allows a degree of decoupling from the iPhone, but the iPhone still has to be in range for much of the Watch’s functions. Despite it’s sluggish sales, this is still the device to beat. Particularly if you are addicted to Pokemon Go (which now runs on the the Watch).</p>
<h2>Does anyone still care about the Mac?</h2>
<p>For many years, there has been a vocal minority arguing that every Apple Keynote is the last opportunity for the company to demonstrate that it can still out-innovate the competition and to counter the prevailing wisdom that Apple has abandoned its professional users for consumer-focused devices. For the first time time in a long while, <a href="http://www.fool.com/investing/2016/07/13/apple-inc-loses-pc-market-share.aspx">Apple’s computer sales recently dropped</a> and <a href="http://www.computerworld.com/article/3062555/smartphones/iphone-sales-drop-in-q1-reflect-a-market-that-remains-flat.html">even iPhone sales fell</a>. </p>
<p>To some extent this is true: the line of Mac computers that made the company’s fortune from the 1980s onwards <a href="https://www.yahoo.com/tech/hey-apple-how-about-shipping-a-new-computer-150725169.html">has been moribund over the last two or three years</a>. Some Mac products have dropped off review site and magazines’ recommended lists. So it’s surprising that there were no updates to any of the Mac products. Most of the desktops and laptops <a href="http://buyersguide.macrumors.com/#Mac">now contain very old components</a>, leaving creative professionals who are the Mac-using Apple stalwarts with outdated and ageing equipment. Someone at Apple needs reminding that the developers who create apps for the iPhone use Mac computers.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"773597224974454786"}"></div></p>
<p>So, while the iPhone 7 will be desirable for those using substantially older iPhones, upgrading from the previous generation iPhone 6 or 6s is harder to justify. There probably isn’t enough to replicate the massive sales surge when they first introduced the larger iPhone 6, but the slide towards online services allows Apple to transition towards making more money from storage and services – which encroaches on Google’s income stream. Is there enough here for Android users to justify a switch? Probably not. And while the new Apple Watch isn’t sufficiently different from last year’s model to massively increase sales, it may appeal to those who exercise regularly or for whom waterproofing is helpful.</p>
<p>But changes to the pro-computer line are needed desperately. Apple needs to bring back more regular updates to ensure it doesn’t begin to lose its heartlands – those who were Apple buyers well before the iPhone took the world by storm. At the same time, its easy to see the root of Apple’s laser-like focus on its phone: other mobile manufacturers make very little money from their phones, while <a href="http://www.independent.co.uk/news/business/analysis-and-features/apples-iphone-the-most-profitable-product-in-history-10009741.html">each iPhone is sold at a 40% profit</a>, adding to the huge cash mountain upon which Apple sits.</p><img src="https://counter.theconversation.com/content/65086/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Barry Avery does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Loss of the headphone jack may annoy some, but think of the poor Mac users with almost no updates since 2012.Barry Avery, Associate Professor, Informatics and Operations, Kingston UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/326402014-10-08T05:18:02Z2014-10-08T05:18:02ZiWorm hack shows Macs are vulnerable too<figure><img src="https://images.theconversation.com/files/61060/original/4vhrykms-1412694323.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">That's one sad Mac.</span> <span class="attribution"><a class="source" href="https://www.flickr.com/photos/nickkellet/6839330932/">nickkellet</a>, <a class="license" href="http://creativecommons.org/licenses/by/4.0/">CC BY</a></span></figcaption></figure><p>The computer operating systems and applications we use today have often evolved over many years, decades even, and contain tens or hundreds of millions of lines of code. Flaws in that code – and there will always be some – give rise to security problems that, in an internet-connected world, are an increasing problem. </p>
<p>Many are found in code written in the C++ programming language – in Microsoft Windows, in Java, in applications such as Abode Flash or Reader, the Outlook email client, browsers such as Internet Explorer and Firefox, and increasingly Linux and OS X. Any issues found to affect Linux and other Unix-like operating systems causes problems for Apple because OS X is Unix-like in nature.</p>
<p>Apple’s decision to redevelop a new operating system for the Macintosh based on Unix was a momentous one. A <a href="http://www.computerworld.com/article/2524660/operating-systems/the-unix-family-tree.html">family of related operating systems</a>, Unix has evolved since the early 1970s and continues to be used and developed today. Technically OS X is a “Unix-like” operating system called <a href="http://support.apple.com/kb/ta25634">Darwin</a>; Linux is another Unix-like operating system. This decision meant the company could rely on the stability of Unix and focus on the user experience.</p>
<p>Will this decision return to bite Apple, however? The flaws now being discovered in Unix-like operating systems also affect OS X. Many bugs are being found that have gone unnoticed for years – the Heartbleed flaw in OpenSSL for example relates to C++ code written by Eric Young in 1998.</p>
<h2>Lair of the iWorm</h2>
<p>Last week, Dr. Web (a Russian security firm) detailed a <a href="http://www.techtimes.com/articles/17226/20141006/os-x-malware-mac-backdoor-iworm-piggybacks-reddit-to-infect-over-17000-macs-how-about-yours.htm">newly discovered piece of malware</a> for OS X, called Mac.BackDoor.iWorm. This allows hackers to take control of a computer, using it as part of a botnet (a group of perhaps thousands of compromised, remotely-controlled computers) for illegal activity such as spamming or performing Denial of Service (DDoS) attacks, where a website is overloaded with requests and forced offline.</p>
<p>After Dr. Web detected more than 17,000 computers infected with the worm, Apple <a href="http://www.tuaw.com/2014/10/06/apple-updates-xprotect-malware-definitions-to-shut-down-iworm/">responded quickly</a> by adding the malware’s signature to the <a href="http://www.thesafemac.com/mmg-builtin/">Xprotect</a> malware scanner built into OS X. But this will only protect against the worm if it has been updated to include the latest changes.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/oOn-pu1Qn3k?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">Detecting the iWorm.</span></figcaption>
</figure>
<p>Interestingly iWorm’s creators used the popular website Reddit as an attack vector. In a fake Minecraft discussion forum were posted the addresses of the hackers’ command and control servers – iWorm would browse Reddit to find these addresses, connect and wait for instructions. Reddit closed the hacker’s user accounts and the fake forum, cutting off the iWorm’s controllers – for now. The <a href="http://www.tuaw.com/2014/10/06/apple-updates-xprotect-malware-definitions-to-shut-down-iworm/">suggestion</a> is that it spread originally through pirated software infected with malicious code downloaded from torrent sites (making it more of a Trojan than a worm).</p>
<h2>Shell Shock</h2>
<p>Another recent bug, the <a href="https://theconversation.com/bigger-than-heartbleed-bug-in-bash-leaves-millions-of-web-servers-vulnerable-32231">Shellshock vulnerability</a> found in the Bash shell program affects practically all Unix-like operating systems (including Linux and OS X) because it’s such a common program, included by default in most installations. As Linux is found in many embedded systems – network hardware such as routers and switches, microcontrollers that operate traffic lights, industrial production lines and all sorts of other uses – the number of potentially vulnerable devices is huge.</p>
<p>The bug allows an intruder to remotely run arbitrary commands. The efforts of hackers have been to use Shellshock to control web servers through their CGI function, one of the oldest methods through which a program could communicate with a web server. Today CGI has been largely replaced by PHP and other high-level scripting languages, but many millions of servers retain it for compatibility.</p>
<p>Even by using Shellshock to run commands on remote machines, on a properly security-hardened server the potential for damage is limited, as most of the important operations require higher-level privileges – if correctly configured. </p>
<h2>Buffer overflow attack</h2>
<p>Such programming errors show how sloppy software developers have been (and often continue to be), and how long such flaws can hang around – some 23 years for Heartbleed. Many bugs are due to C++ programming errors, causing programs to act incorrectly when the data a program receives is not what it expects. A common way of exploiting this is a <a href="http://www.cse.scu.edu/%7Etschwarz/coen152_05/Lectures/BufferOverflow.html">buffer overflow</a>.</p>
<p>Programs typically allocate a certain amount of memory (buffer) to variables used by programs to store and pass around data. That data is expected to arrive in a certain format and fit within the memory allocation. If it arrives and is larger than it should be it can overwrite code stored in neighbouring memory areas, causing the program to become erratic, crash, or execute code contained in the data sent that overruns the buffer.</p>
<p>Similar but not quite the same, the <a href="http://www.theregister.co.uk/2014/04/09/heartbleed_explained/">Heartbleed flaw</a> lay in a feature of SSL called a “heartbeat”, a challenge-response between two computers designed to keep the connection open. The code required the client computer to send a string of characters, and a number totalling the length of that string of characters. The server reads the number and sends back that many characters. The attack worked because the attacker could, for example, deliberately send only one character but ask for 500; the server responds with a further 499 characters drawn from memory which, on a server running SSL, may well contain sensitive data such as usernames, passwords or even credit card details.</p>
<h2>Moving targets</h2>
<p>So after decades of vulnerabilities appearing on Microsoft Windows, now they are beginning to show up in others such as Linux and OS X. Code will always contain errors and oversights and the apparent security of an operating system is as much to do with the extent to which people are interested in finding flaws. With billions of desktop, laptop and mobile devices running some version of Windows, it’s a magnet for hackers as much as it is for security experts trying to find those vulnerabilities first.</p>
<p>Personal computers running Linux (less than 2% of all PCs) or OS X (less than 7%) are few in comparison. But two-thirds of the internet’s servers are Linux/Unix-based and perhaps this is where those with malicious intent are turning their attention. And if that happens, Mac OS X may well become collateral damage.</p>
<p>While Apple has been fast to release patches, the danger is that users do not install the updates – as is the case with many Windows users, millions of whom run old, out-of-date and vulnerable versions of Windows and other programs. In the future, Apple will need to find its own vulnerabilities, review its own code and not leave it to the security community – which becomes a race between then protectors and the exploiters.</p><img src="https://counter.theconversation.com/content/32640/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Bill Buchanan does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The computer operating systems and applications we use today have often evolved over many years, decades even, and contain tens or hundreds of millions of lines of code. Flaws in that code – and there…Bill Buchanan, Head, Centre for Distributed Computing, Networks and Security, Edinburgh Napier UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/322312014-09-26T12:47:07Z2014-09-26T12:47:07ZBigger than Heartbleed? Bug in bash leaves millions of web servers vulnerable<figure><img src="https://images.theconversation.com/files/60179/original/5nrvgy67-1411732288.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Better bash that bash bug, big time.</span> <span class="attribution"><a class="source" href="http://www.shutterstock.com/pic-124757866/stock-photo-server-data-on-a-monitor.html?src=78d0oghwouoUqqY7Y124Vg-1-7">isak55/Shutterstock</a></span></figcaption></figure><p>A first and quite reasonable thought readers may have will be to wonder: what is bash? </p>
<p>When you use a computer you probably interact with it through a point-and-click, visual interface such as Windows or Mac OS. More advanced users or specific tasks might require a text-only interface, using typed commands. This command line program is known as a shell, and bash is the acronym for Bourne Again SHell (a successor to the Bourne shell, written by Stephen Bourne – that’s geek humour right there), known to everyone as <a href="https://www.gnu.org/software/bash/bash.html">bash</a>.</p>
<p>So what you need to know is that a shell is essential, and that bash as the most common shell in use is installed on pretty much every machine that runs a flavour of Linux or Unix. That includes Mac OS X – which behind its shiny desktop is a Unix-based operating system too. </p>
<p>What has systems administrators hot under the collar right now is the discovery by Red Hat, a firm that produces one of the long-established distributions of Linux favoured by enterprise, of a vulnerability in bash. This bug, which is being called “<a href="https://www.cert.gov.uk/resources/alerts/update-bash-vulnerability-aka-shellshock/">shellshock</a>”, allows <a href="http://www.symantec.com/connect/blogs/shellshock-all-you-need-know-about-bash-bug-vulnerability">under specific conditions</a> a hacker to remotely access and take control of a system running a vulnerable version of bash.</p>
<p>Potentially vulnerable computers running Linux/Unix account for around <a href="https://secure1.securityspace.com/s_survey/data/201211/index.html">two-thirds of web servers on the internet</a>. That will include a huge number of online services you use – shops, banks, social networking sites, government services. The police and military, too. </p>
<h2>Huge scope online</h2>
<p>Now you can see why everyone is panicking and claiming that this is bigger than the <a href="https://theconversation.com/explainer-should-you-change-your-password-after-heartbleed-25506">Heartbleed</a> bug, a problem that only affected one specific technology (secure socket layers) which is not near-universal like bash. It has been classed as a maximum risk factor 10 of 10. </p>
<p>Red Hat has <a href="https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/">released a patch</a> to close the loophole and solve the problem, but it’s not perfect and still allows an attacker other vectors to exploit. Other Linux and Unix vendors will be on the case as a matter of urgency and no doubt there will be an update from Apple for its Mac OS systems very soon. It isn’t the fault of one organisation – while tempting, there is no cause to bash Apple this time.</p>
<p>This vulnerability, dating back to version 1.13 of the program, has existed <a href="http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/">for 22 years</a> and it has taken detailed analysis by security experts to find it. Now it has been made public, vendors and system administrators are scrabbling to close the hole while hackers and cybercriminals are trying to exploit it.</p>
<p>In fact within 24 hours of being announced, exploits are <a href="http://www.theregister.co.uk/2014/09/26/bad_guy_builds_beastly_bash_botnet/">already being reported in the wild</a>. The issue is exacerbated by the problem that shell programs such as bash are designed to be connected to remotely, through programs such as SSH or telnet. It isn’t too difficult to send commands to a remote device or to encourage users to download an application that uses the same commands.</p>
<p>But that assumes the attacker is able to bypass your perimeter protection such as a firewall and other network security policies. As a network engineer, I know that while there is a weakness on my system that must be resolved, there are other defence mechanisms already surrounding that weakness that still provide protection.</p>
<p>However, those running a web server – whose entire function is to respond to those remote calls (in this case, your web browser’s requests for pages on the site you’re browsing) – have much more of a problem. This provides a route into the system that can’t be blocked with a firewall as it would also block legitimate requests for the web server. Systems administrators are probably very busy at the moment trying to ensure that their bash environments cannot be exploited.</p>
<p>Also of concern are the tens of millions of pieces of networking hardware such as router and switches that connect the internet’s computers together. Almost all run stripped-down versions of Linux-like operating systems optimised for networking, but <a href="http://tools.cisco.com/security/center/viewAlert.x?alertId=35816">they also include bash</a> for network engineers to connect and control them. These will need to be patched too.</p>
<h2>Desktop users are safe\®</h2>
<p>The rest of us can probably breathe easier. Attackers are more interested in compromising systems that may return financial advantage, which is unlikely to be our desktop computers.</p>
<p>My advice to Apple Mac users is to check <a href="http://support.apple.com/kb/ht1810">firewall settings</a> and take care when downloading any third-party application not available via the App Store. For Linux users the same applies – Ubuntu has a software centre, for example, where the community have checked all available applications to date. In any case, a patch will be available soon. Windows users are unaffected (and it’s not often you can say that).</p>
<p>Some are suggesting this bug is a larger problem for Apple desktop devices than it really is. Unless your machine has been set up to allow others remote access to it (it wouldn’t do so by default), has also switched off the firewall and is not using a protected network (home broadband routers provide their own protection, for example), then I wouldn’t worry – but install whatever recommended updates appear in the days to come.</p><img src="https://counter.theconversation.com/content/32231/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Andrew Smith was historically affiliated with the Linux Professional Institute.</span></em></p>A first and quite reasonable thought readers may have will be to wonder: what is bash? When you use a computer you probably interact with it through a point-and-click, visual interface such as Windows…Andrew Smith, Lecturer in Networking, The Open UniversityLicensed as Creative Commons – attribution, no derivatives.