Apple Says WikiLeaks CIA Documents Are Old and Exploits Have Been Fixed

[ulyssesric]

Was thinking similarly, that it reads as though they couldn't plug these holes with software so there are a bunch of non vintage/obsolete Macs out there that are still vulnerable. If so, it would be nice if apple to explain thecountours of that vulnerability so that owners can take appropriate precautions.

1. Do not leave your computers unattended in public.
2. Do not let unauthorized personnel approaches your computers without supervision.
3. Do not boot your computers from unidentified USB device.

I'm serious. The so called "Dark Matter", as well as other firmware / bootloader vulnerabilities, can only be leveraged by direct access of your computer physically. So don't expose your computer to unsecured environment, even it's locked.

 

[MH01]

What else they gonna say. So what apple is telling me, most of my macs are vulnerable and I should buy a new one lol......

Face it people, if you own a electronic device, privacy and security is a myth. Apple does not even know what current exploits exist. Saying any Mac after 2013 is okay is daming. It's shocking that it took these leaks for some of apple's smugness about security to come through .
[doublepost=1490331956][/doublepost]

1. Do not leave your computers unattended in public.
2. Do not let unauthorized personnel approaches your computers without supervision.
3. Do not boot your computers from unidentified USB device.

I'm serious. The so called "Dark Matter", as well as other firmware / bootloader vulnerabilities, can only be leveraged by direct access of your computer physically. So don't expose your computer to unsecured environment, even it's locked.

If you have ever worked in an office ..... and needed a toilet/coffee break 1-3 easily achieved.

If you are student or self employed, yeah you can take 1-3 much more seriously .... though in the real world it's quite common not to carry your computer with you at all times and leave it at your desk

 

[The Mad Kiwi]

Hole get found, holes get filled, what's new.

 

[sudo1996]

Pretty sure the 3G and 3GS were cracked wide open long ago via publicly known methods. Cell phone security wasn't such a concern back then.

 

[M2M]

No. They are not updating the Mac Pro to help the business using them maximize profits by minimizing incremental hardware upgrade expenses. There's nothing on Facebook or your little social media services that requires any computer tech past 2006. Users have gotten dumber and less sophisticated, so a Mac Pro from 3 years ago (didn't actually ship until 2014) smokes for pretty much everything you'd ever need.

But you should email Tim Cook directly and tell him you want that new Mac 'I Play Games'... ahem... mean Mac Pro.

I am not playing games and the GPU is kind of outdated. Especially if you are doing 4K or more editing and color corrections. Just saying.

 

[Bacillus]

"We are tireless defenders of our users' security and privacy, but we do not condone theft or coordinate with those that threaten to harm our users."
This clumsy disconcerting sentence runs three topics together And makes it hard to understand exactly what they mean.

Theft? Of CIA exploits? Such that Apple is flipping the bird to Wikileaks because they see the Wikileaks info as stolen? So Apple cares enough about users to only use info in the public domain and to avoid tangling with the us government over receiving "stolen" info via Wikileaks?

Couldn't Apple care more and ask a federal judge to permit Apple to take possession of that info? (Maybe Apple News could do so as a naiscent journalistic operation, and in documenting the story, involve Apple technical experts. The stories could be published after the exploits were closed.)

That indeed leaves a serious void, as they claim to stop only security holes that they formally acknowledge.
That's different from: everything
Read: we're not going to replace affected/vulnerable hardware in the field, in our catalogue, or in the outdated designs that we sell for new.
And we're not documenting them either because we formally do not confirm the existence of such holes.
That's close to appeasing the market while minimizing security efforts to OS updates.
Imagine a car company that says "we're not calling back your older model because we formally do not know the steering wheel can be problematic, and we're not investigating it because that info comes from dubious sources..."

Wikieaks tweeted today
"Apple's claim that it has "fixed" all "vulnerabilities" described in DARKMATTER is duplicitous. EFI is a systemic problem, not a zero-day."

Therefore, selling outdated (EFI) hardware is selling time bombs.
Independant researchers will know at what risk (too bad Zdziarski is now embedded @Apple)

 

[Hieveryone]

Apple went on to look around nervously and say, "So no need to even try these exploits, guys. Ha ha ha. Seriously though, don't even bother."

This is too funny

 

[alexgowers]

General rule if it can be jail broken it can be hacked but requires the device and all credentials to do it. The only other method is reading the chips.

In reality no one is spying on you on an Apple device by hacking software they're doing it by getting your credentials only. Android on the other hand is a sieve so Apple is the most secure option anyway.

 

[smirking]

They have a whole dept dedicated to apple products, I think they still know what they're doing

They were almost certainly purchasing some of their exploits from the black market. If they're as omnipotent as people think they are, they wouldn't have needed to go to that Israeli company to get the San Bernardino iPhone cracked. Some of the exploits that have been getting big press are pretty run of the mill flaws that are always popping up and getting quashed all the time.

This isn't to say that the CIA is nothing but a bunch of script kiddies. I have no doubt you wouldn't want to be in their crosshairs, but a lot of this is getting overblown because it came through Wikileaks. People who are exposed to cybersecurity threats on a regular basis have seen a lot of this before.

 

[hellopupy]

Wikieaks tweeted today

"Apple's claim that it has "fixed" all "vulnerabilities" described in DARKMATTER is duplicitous. EFI is a systemic problem, not a zero-day."

 

[iapplelove]

Sane people question things that are made up or are provided without evidence. If someone presented this without context or just claimed them without basis to believe them, I sure would doubt them. I want hard evidence before I accept claims.

You have a lot to learn about the world you have been living in.
[doublepost=1490342271][/doublepost]

Wikieaks tweeted today

"Apple's claim that it has "fixed" all "vulnerabilities" described in DARKMATTER is duplicitous. EFI is a systemic problem, not a zero-day."

Saw that tweet today as well. Also said the vulnerabilities were factory installed. I don't think Apple has fixed a damn thing to be honest, don't think you can fix it.

 

[Bacillus]

You have a lot to learn about the world you have been living in.
I don't think Apple has fixed a damn thing to be honest, don't think you can fix it.

Well, apparently they go for the lowest hanging fruit, restricting their security efforts to just OS updates (leaving older EFI hardware, a main part of their current catalogue and even more in the field, at risk)
See the timebomb / car call-back analogy mentioned above.

 

[gnasher729]

Do we really believe CIA is behind the times, to the extent of 2009ish?

They have a whole dept dedicated to apple products, I think they still know what they're doing

Apple has been learning for many years. The CIA can't do anything if there is no vulnerability. It's probably not the CIA anyway, but the NSA.

 

[M2M]

Wikieaks tweeted today

"Apple's claim that it has "fixed" all "vulnerabilities" described in DARKMATTER is duplicitous. EFI is a systemic problem, not a zero-day."

I agree to this. Also afaik EFI modules /drivers don't need to be digitally signed or are not properly evaluated when they are signed

 

[gnasher729]

If you have ever worked in an office ..... and needed a toilet/coffee break 1-3 easily achieved.

Your office computer shouldn't have any personal information on it, so this would hurt your employer. Your employer's responsibility is to let nobody into the office that cannot be trusted. So are you afraid that your colleagues are spying on you, using exploits created by the CIA?

 

[bergert]

Was thinking similarly, that it reads as though they couldn't plug these holes with software so there are a bunch of non vintage/obsolete Macs out there that are still vulnerable. If so, it would be nice if apple to explain thecountours of that vulnerability so that owners can take appropriate precautions.

There were several EFI firmware upgrade some years back; they addressed exactly that.
To summarize, all supported machines are *not* vulnerable assuming *ALL* updates are installed.

 

[MH01]

Your office computer shouldn't have any personal information on it, so this would hurt your employer. Your employer's responsibility is to let nobody into the office that cannot be trusted. So are you afraid that your colleagues are spying on you, using exploits created by the CIA?

Yeah, cause these exploits exist to steal data from smug Starbucks power users with state secrets . I cannot think of a single reason why someone would want to use this for industrial espionage . And getting access into a building is almost impossible ....

Can I ask how you figure you should not have perosanal data on a work computer. Flawed theory , you may not have YOUR personal data, but you can have company data that has personal info along with access to company systems that can access the data. Trust me , a work computer is worth so much more. Many people keep personal data on work computers anyway, unless you work for the government with very locked down systems

 

[Winni]

What's worrisome are the ones that survive a complete wipe and OS install. I hope Apple continues to harden it's products from those types of attacks.

There are limits to what Apple - or any other computer manufacturer - can do. A lot of those vulnerabilities are located in parts over which Apple does not have any control, the most prominent example being the CPU itself. The "Management Engine" of Intel Processors has been identified as an actual backdoor a long time ago, and all post Core 2 Duo CPUs have it and there is nothing that can be done on a user level about it.

And even if one would magically manage to completely harden the computer -- we live in a networked world. The moment you connect to the Internet, you're standing on a crowded market square, talking over a PA. Everybody can "hear" you and intercept your communication, and the encryption that is available to regular users might protect you against your neighbor, but not against the means that the NSA has at its disposal. (Especially not since all commercial encryption products are known to have built-in weaknesses that cripple them.)

Let's face a simple reality here: No government on this planet will ever want its people to have unbreakable encryption.

 

[gnasher729]

Yeah, cause these exploits exist to steal data from smug Starbucks power users with state secrets . I cannot think of a single reason why someone would want to use this for industrial espionage . And getting access into a building is almost impossible ....

Can I ask how you figure you should not have perosanal data on a work computer. Flawed theory , you may not have YOUR personal data, but you can have company data that has personal info along with access to company systems that can access the data. Trust me , a work computer is worth so much more. Many people keep personal data on work computers anyway, unless you work for the government with very locked down systems

Alternative: Thief enters the office undetected, grabs my laptop, runs away. Before you get all paranoid about some perceived danger, think about whether there are more obvious, and possibly worse possibilities.

 

[SaxPlayer]

I'm sure they've patched iOS devices. However, someone should get on the phone to Apple and remind them that they also sell Macs and they need fixing too.

Not that there's any evidence that they've forgotten they exist...

 

[DNichter]

I don't know much about this stuff, but I would think even a somewhat novice mac user could potentially avoid such exploits? No one uses my mac but me, I don't stupidly launch anything on my mac that I don't know what it is, and I certainly wouldn't boot from an all of a sudden random usb-c drive sticking out of my mac that I've never used. I believe most of these exploits target very stupid people, but there sure are a lot of them.

 

[definitive]

No. They are not updating the Mac Pro to help the business using them maximize profits by minimizing incremental hardware upgrade expenses. There's nothing on Facebook or your little social media services that requires any computer tech past 2006. Users have gotten dumber and less sophisticated, so a Mac Pro from 3 years ago (didn't actually ship until 2014) smokes for pretty much everything you'd ever need.

But you should email Tim Cook directly and tell him you want that new Mac 'I Play Games'... ahem... mean Mac Pro.

So if I have a business which doesn't currently use Mac Pro's, but want to switch to them, then I should pay full retail price for old hardware? That doesn't sound like a smart investment...

 

[nwcs]

I'm sure Apple is doing what it thinks is best but I wish they would do more to cover privacy than to merely say it: https://rankingdigitalrights.org/

 

[supercoolmanchu]

So if I have a business which doesn't currently use Mac Pro's, but want to switch to them, then I should pay full retail price for old hardware? That doesn't sound like a smart investment...

Well... how exactly are you in business then? Computers you got must be working for you. Bam!

You're going to put the brakes on current projects and earnings to wait/hope for some future point to get new hardware? Who runs a business like that? That's how amateurs shop.

If you gotta pour cement now, why wait for someone to announce a future possible cement mixer? To a business a computer is a tool, if the timeline doesn't align, you gotta put on your big boy pants and either ditch your expectations or your business.
[doublepost=1490359204][/doublepost]

I am not playing games and the GPU is kind of outdated. Especially if you are doing 4K or more editing and color corrections. Just saying.

We've got an 2013 (2014 actual shipped) Mac Pro 12-core running FCPX and DaVinci Resolve for color correction and it handles projects just fine at 4K. If you were doing 3D rendering then there's maybe a complaint, but Macs and that segment have never been a good fit.

My specialty is audio and have an 8-core in each studio, screaming for Pro Tools and Logic. I also mess around with Photoshop a fair amount, used to do graphic design, and people are straight up smoking crack when they diss these machines. I understand they are pricey for the average computer shopper. But it's a Mac 'Pro', not a Mac 'I sit at Starbucks and dick around with web-dev'. Don't need much for that.

 

[thekeyring]

No. They are not updating the Mac Pro to help the business using them maximize profits by minimizing incremental hardware upgrade expenses. There's nothing on Facebook or your little social media services that requires any computer tech past 2006. Users have gotten dumber and less sophisticated, so a Mac Pro from 3 years ago (didn't actually ship until 2014) smokes for pretty much everything you'd ever need.

But you should email Tim Cook directly and tell him you want that new Mac 'I Play Games'... ahem... mean Mac Pro.

The Mac Pro isn't for consumer use. My MacBook Pro excels in almost everything I throw at it, but having to do motion tracking in After Effects, and render the result - that absolutely chokes it. The Mac Pros we have in the office can handle it.

Render time makes a big difference to our productivity. There is a market for high end machines. I'm not saying we'd ditch the current 2013 Pros for 2017 Pros if Apple released them, but to still be paying the same price for tech released in 2013 is steep, when it could be faster.