Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple Says WikiLeaks CIA Documents Are Old and Exploits Have Been Fixed

TallGuyGT said:
What's worrisome are the ones that survive a complete wipe and OS install. I hope Apple continues to harden it's products from those types of attacks.
Click to expand...

That is feature of the updated BIOS design known as UEFI (all PC's and Intel Mac's use it), as part of that BIOS design that capability (install x after bootup from the UEFI/BIOS area) is there. Its interesting to note this updated BIOS design was pushed by Microsoft and Intel (2 great friends of the mass surveillance folks in the U.S. government) a couple of years after 9/11. Apple has to make sure only they can get updated UEFI images on your Mac is how it is secure - and one of the reasons there were alot of BIOS updates for Macs a few years ago.

You can see where it's been publicly abused by the Chinese PC vendor Lenovo (maker of Thinkpads) here:

https://www.techdirt.com/articles/2...rapware-via-bios-fresh-windows-installs.shtml

This also makes sense why old school BIOS design's weren't liked by that professional hacking company that was hacked itself a couple of years ago - in their docs they mentioned they wanted PC's with UEFI BIOS's to attack implying old BIOS designs were more difficult.
 
Last edited:
MH01 said:
Yeah, cause these exploits exist to steal data from smug Starbucks power users with state secrets . I cannot think of a single reason why someone would want to use this for industrial espionage . And getting access into a building is almost impossible ....

Can I ask how you figure you should not have perosanal data on a work computer. Flawed theory , you may not have YOUR personal data, but you can have company data that has personal info along with access to company systems that can access the data. Trust me , a work computer is worth so much more. Many people keep personal data on work computers anyway, unless you work for the government with very locked down systems
Click to expand...

Our studio Macs are not kept connected to the internet, with OWC thunderbolt drive bays and clients bring drives, and we copy their data to ours. So nothing is kept networked. Practically there's no need to surf the web when you have a video or audio project loaded, and it's better to dedicate system resources for the work. We don't update unless there's a particular patch or feature, and that's maybe 3 or 4 times a year. So it's easy to keep GBs of private and important data safe by just not making it available online. I have important audio libraries that will never be accessible without physical access. People in our industry that are lazy have gotten burned by doing the opposite. If it's important, you should treat it as such and figure out a way. It's not impossible or impractical, it just requires adhering to a more secure workflow. You're posting on here, so it's not like the extra time would be an obstacle for you.
 
iapplelove said:
Saw that tweet today as well. Also said the vulnerabilities were factory installed. I don't think Apple has fixed a damn thing to be honest, don't think you can fix it.
Click to expand...

Seems the CIA-process regarding the new phones is to hijack specific logistics and change new phones for tampered with phones in transit.

Would be interesting to know how far Apple works with them. Is this done with Apples knowledge? Do Apple have CIA people in their organisation creating backdoors?

What CIA does is unconstitutional and thus criminal. FBI same, let's see if the NSA comes up with anything substantial today.
 
  • Like
Reactions: iapplelove
gnasher729 said:
Alternative: Thief enters the office undetected, grabs my laptop, runs away. Before you get all paranoid about some perceived danger, think about whether there are more obvious, and possibly worse possibilities.
Click to expand...

thief takes your laptop , you report it stolen, appropriate action is taken. Organisations plan for stolen hardware. Poor choice.

Let me put it this way, outr worst breaches where the ones that went on for months without any alerts or knowledge .

A dumb thief resorts to robbery, smart ones steals from you without your knowledge ;)
 
thekeyring said:
The Mac Pro isn't for consumer use. My MacBook Pro excels in almost everything I throw at it, but having to do motion tracking in After Effects, and render the result - that absolutely chokes it. The Mac Pros we have in the office can handle it.

Render time makes a big difference to our productivity. There is a market for high end machines. I'm not saying we'd ditch the current 2013 Pros for 2017 Pros if Apple released them, but to still be paying the same price for tech released in 2013 is steep, when it could be faster.
Click to expand...

Yep, and that's the rub, that side of video has never been a perfect fit with Apple's history of Mac Pro releases. Occasionally it aligns for a time, but never been a constant. But a big part of that problem is Adobe and their crappy, inefficient code. They'd rather you spend to buy more PCs for rendering, than bite the bullet and get serious about their codebase. I don't blame Apple for not bothering to throw resources at that. I think they were smart to bring Motion up as an alternative for general AE type stuff, and leave the more hardcore uses for AE and systems with multiple PCs. I don't see that ever changing unless Adobe gets serious about getting lean and mean. I think it's more likely competitors will slowly nibble away like what's happening to Photoshop.

It's a bummer, but I have no sympathy, ProTools is a mess of additional hardware to get a serious rig running, the lower level systems are handicapped in all sorts of ways. That's the trouble with specialized niches in computing, all the fun stuff is for the consumers, the pros have to wait and wait and wait for anything to be sorted out between multiple vendors before purchasing something. This isn't likely to change anytime soon. Also why a constant refresh of 'pro' machines isn't as dire as some would believe. Apple is never going to fill all niches, but the ones they do... damn!
 
supercoolmanchu said:
Our studio Macs are not kept connected to the internet, with OWC thunderbolt drive bays and clients bring drives, and we copy their data to ours. So nothing is kept networked. Practically there's no need to surf the web when you have a video or audio project loaded, and it's better to dedicate system resources for the work. We don't update unless there's a particular patch or feature, and that's maybe 3 or 4 times a year. So it's easy to keep GBs of private and important data safe by just not making it available online. I have important audio libraries that will never be accessible without physical access. People in our industry that are lazy have gotten burned by doing the opposite. If it's important, you should treat it as such and figure out a way. It's not impossible or impractical, it just requires adhering to a more secure workflow. You're posting on here, so it's not like the extra time would be an obstacle for you.
Click to expand...

There is a world of difference being a media company and a financial / government entity.

You cannot compare edit stations to networked computer assets. No offence but no idiot is ever going to target an edit station in a company......go after the MacBooks airs...management carry those ;)
 
You are the One said:
Seems the CIA-process regarding the new phones is to hijack specific logistics and change new phones for tampered with phones in transit.

Would be interesting to know how far Apple works with them. Is this done with Apples knowledge? Do Apple have CIA people in their organisation creating backdoors?

What CIA does is unconstitutional and thus criminal. FBI same, let's see if the NSA comes up with anything substantial today.
Click to expand...

Doesn't sound like it. The CIA has been doing this behind the NSA/DoD's back. This is a rogue, illegal operation and official support from Apple is unlikely. They do business all over the world, and their reputation has tangible market value. If the CIA is operating in an extra legal capacity, unlikely they would use any legal means (even 'normal' government clandestine practices and courts) to compel Apple or any company's cooperation.

More likely they would bribe or blackmail a key employee. Seems a lot easier than trying to convince a CEO and Board of a public company. One slip up and it would mean Tim Cook's ass, and Apple's revenue would be drastically affected. Simplest method is compromise a tech nerd or someone in the manufacturing chain. Going thru corporate creates a paper trail, and would at minimum involve several people, lawyers and assistants, before they even got to the actual tech people they needed inside Apple.

If they've been doing this, might be easier to compromise someone at Samsung or a Foxcon, who manufacture not only for iPhones but android phones and maybe other devices as well. Better bang for the spy bucks.
[doublepost=1490363436][/doublepost]
MH01 said:
There is a world of difference being a media company and a financial / government entity.

You cannot compare edit stations to networked computer assets. No offence but no idiot is ever going to target an edit station in a company......go after the MacBooks airs...management carry those ;)
Click to expand...

And those idiots only need certain documents/systems to be networked, but the standard practice is to keep everything on their machines for conveinence. Conveinence is a poor component of good security, but it's created a lot of bad habits across most industries that use computers.
 
Last edited:
  • Like
Reactions: You are the One
It's interesting that the article, nor Apple, mentioned the firmware injection at time of manufacturing. Hmm...
 
lkrupp said:
This is tin foil hat material for OCD Paranoids. No matter what Apple says they will say, “Yeah, but...” like the guy out in the Nevada dessert who claims he can prove the Moon landings were faked and that Lyndon Johnson ordered the hit on Kennedy. These people cannot be reasoned with.
Click to expand...

How is something confirmed true tin foil hat material? lol. Are you truly this dense?
 
DNichter said:
I don't know much about this stuff, but I would think even a somewhat novice mac user could potentially avoid such exploits? No one uses my mac but me, I don't stupidly launch anything on my mac that I don't know what it is, and I certainly wouldn't boot from an all of a sudden random usb-c drive sticking out of my mac that I've never used. I believe most of these exploits target very stupid people, but there sure are a lot of them.
Click to expand...

You think the CIA will come to your house at night, plug in a USB and leave it there and hope for the best? Lmao

Don't call people stupid when you don't even understand the article.
 
supercoolmanchu said:
Well... how exactly are you in business then? Computers you got must be working for you. Bam!

You're going to put the brakes on current projects and earnings to wait/hope for some future point to get new hardware? Who runs a business like that? That's how amateurs shop.

If you gotta pour cement now, why wait for someone to announce a future possible cement mixer? To a business a computer is a tool, if the timeline doesn't align, you gotta put on your big boy pants and either ditch your expectations or your business.
[doublepost=1490359204][/doublepost]

We've got an 2013 (2014 actual shipped) Mac Pro 12-core running FCPX and DaVinci Resolve for color correction and it handles projects just fine at 4K. If you were doing 3D rendering then there's maybe a complaint, but Macs and that segment have never been a good fit.

My specialty is audio and have an 8-core in each studio, screaming for Pro Tools and Logic. I also mess around with Photoshop a fair amount, used to do graphic design, and people are straight up smoking crack when they diss these machines. I understand they are pricey for the average computer shopper. But it's a Mac 'Pro', not a Mac 'I sit at Starbucks and dick around with web-dev'. Don't need much for that.
Click to expand...
I expect for your work you want to have a secure machine as your daily income depends on it. Now with exploits out in the wild you must be more carefully. Even though I admit that currently physical access is needed for EFI exploitation
 
Sasparilla said:
That is feature of the updated BIOS design known as UEFI (all PC's and Intel Mac's use it), as part of that BIOS design that capability (install x after bootup from the UEFI/BIOS area) is there. Its interesting to note this updated BIOS design was pushed by Microsoft and Intel (2 great friends of the mass surveillance folks in the U.S. government) a couple of years after 9/11. Apple has to make sure only they can get updated UEFI images on your Mac is how it is secure - and one of the reasons there were alot of BIOS updates for Macs a few years ago.

You can see where it's been publicly abused by the Chinese PC vendor Lenovo (maker of Thinkpads) here:

https://www.techdirt.com/articles/2...rapware-via-bios-fresh-windows-installs.shtml

This also makes sense why old school BIOS design's weren't liked by that professional hacking company that was hacked itself a couple of years ago - in their docs they mentioned they wanted PC's with UEFI BIOS's to attack implying old BIOS designs were more difficult.
Click to expand...

No, not all PCs use UEFI. All Macs have for the past ten years as they were the first. Most PC Motherboards today have either non-UEFI, Hybrid or full UEFI. There are billions of non-UEFI bios systems in the world.
 
So Tim. If the vulnerability was only alleged how did you fix it, or did you just allegedly fix it?
 
MH01 said:
What else they gonna say. So what apple is telling me, most of my macs are vulnerable and I should buy a new one lol......

Face it people, if you own a electronic device, privacy and security is a myth. Apple does not even know what current exploits exist. Saying any Mac after 2013 is okay is daming. It's shocking that it took these leaks for some of apple's smugness about security to come through .
[doublepost=1490331956][/doublepost]

If you have ever worked in an office ..... and needed a toilet/coffee break 1-3 easily achieved.

If you are student or self employed, yeah you can take 1-3 much more seriously .... though in the real world it's quite common not to carry your computer with you at all times and leave it at your desk
Click to expand...

On a PC, it's pretty simple to thwart 1 through 3 if you step away from your computer...CTRL+ALT+DEL

I don't own a Mac, but I would imagine they have something similar.

No special coding skills needed.
 
crashoverride77 said:
You think the CIA will come to your house at night, plug in a USB and leave it there and hope for the best? Lmao

Don't call people stupid when you don't even understand the article.
Click to expand...

No, just that any of these exploits need to be initiated by the user. I am saying that someone would have to be pretty stupid to do so.
 
MacRumors said:
Apple says the iPhone vulnerability only affected the iPhone 3G and was fixed in 2009, while all Mac vulnerabilities were fixed in Macs launched after 2013
Click to expand...

Uh...? Does this mean Macs manufactured in 2013 are vulnerable? "after 2013" is very ambiguous.
 
thadoggfather said:
Do we really believe CIA is behind the times, to the extent of 2009ish?

They have a whole dept dedicated to apple products, I think they still know what they're doing
Click to expand...

This is ancient news. Vulnerabilities already patched. They'll have all new tools now and this information is obsolete.

It's either a recruitment campaign for CIA or more likely, payback for CIA leaking NSA information.

Just like the Snowdon leaks neither violated national security nor discussed anything that wasn't in Enemy Of The State decades earlier, there is nothing damaging in these leaks, just embarrassing to CIA.

It's payback for CIA agent (as he identified himself to Greenwald) Snowdon embarrassing NSA to gain cyber funding for CIA. This is NSA getting back at CIA. Ancient inter-agency rivalries. Nothing damaging leaked, just political manoeuvring for more funding.

The only real news, missed by everybody is that CIA masquerades as Russian (and other) hackers to avoid detection. Just as they previously admitted to disguising themselves as Chinese hackers. Read the news in the light of THESE revelations.
 
  • Like
Reactions: You are the One
There are few pieces to this...

One one hand Apple doesn't come forward. it just wants to make products, avoiding the media..

On the other hand, by not coming forward to Wikileaks, and instead insisting that Wikileaks go to Apple, they are saying "We don't care".

Well if u care about security then u DO care. but not enough to involve ?

Cartoonkid said:
On a PC, it's pretty simple to thwart 1 through 3 if you step away from your computer...CTRL+ALT+DEL

I don't own a Mac, but I would imagine they have something similar.

No special coding skills needed.
Click to expand...

Actually for Mac, we don't have security like that... the only best thing is 'hot corners' will lock which means the user much know to move it to that location, which they will forget to do over time... Easyer to just leave Mac un-attented and ask for password immediately on return... Unfortunately, the minimum is 5 minutes. Plenty of time for someone to still access.

Control-Alt-Delete in Windows is still far better, no need for 'hot corners', typing in Terminal or apps to use just to initiate such a secure task. You really gotta wonder everywhere else Apple did correct in security o a Mac, BUT they left this open more..... Why ? is my only question.
 
Last edited:
thadoggfather said:
They have a whole dept dedicated to apple products, I think they still know what they're doing
Click to expand...

Team maybe? They are a department (aka government agency). IT is not their main business, so my image is that it would be a particularly large/important area of the CIA. It'd just be one of the tech teams...
 
djgamble said:
Team maybe? They are a department (aka government agency). IT is not their main business, so my image is that it would be a particularly large/important area of the CIA. It'd just be one of the tech teams...
Click to expand...

Semantics ? A team could mean a lot of people involved. Point being CIA acknowledges every one owns iSomething, so cracking the apple open would be a powerful thing... :/
 
DNichter said:
No, just that any of these exploits need to be initiated by the user. I am saying that someone would have to be pretty stupid to do so.
Click to expand...

What are you talking about?. Once again read the articles.

First you think a random USB has to be plugged in for the exploit to work. Lmao

Now you say its user initiated.

The idea is that the NSA would intercept a brand new laptop that is shipped, install the exploit and than give it to the user. Or they give you a tinkered laptop e.g at your work place.

So once again stop calling people stupid.
 
supercoolmanchu said:
Yep, and that's the rub, that side of video has never been a perfect fit with Apple's history of Mac Pro releases. Occasionally it aligns for a time, but never been a constant. But a big part of that problem is Adobe and their crappy, inefficient code. They'd rather you spend to buy more PCs for rendering, than bite the bullet and get serious about their codebase. I don't blame Apple for not bothering to throw resources at that. I think they were smart to bring Motion up as an alternative for general AE type stuff, and leave the more hardcore uses for AE and systems with multiple PCs. I don't see that ever changing unless Adobe gets serious about getting lean and mean. I think it's more likely competitors will slowly nibble away like what's happening to Photoshop.

It's a bummer, but I have no sympathy, ProTools is a mess of additional hardware to get a serious rig running, the lower level systems are handicapped in all sorts of ways. That's the trouble with specialized niches in computing, all the fun stuff is for the consumers, the pros have to wait and wait and wait for anything to be sorted out between multiple vendors before purchasing something. This isn't likely to change anytime soon. Also why a constant refresh of 'pro' machines isn't as dire as some would believe. Apple is never going to fill all niches, but the ones they do... damn!
Click to expand...

Actually I agree with the Adobe thing. While I love their apps I do find there to be a few annoyances - the code is inefficient. There are too many apps which overlap in functionality, yet have different keyboard shortcuts etc which make it difficult to switch between.
 
crashoverride77 said:
What are you talking about?. Once again read the articles.

First you think a random USB has to be plugged in for the exploit to work. Lmao

Now you say its user initiated.

The idea is that the NSA would intercept a brand new laptop that is shipped, install the exploit and than give it to the user. Or they give you a tinkered laptop e.g at your work place.

So once again stop calling people stupid.
Click to expand...

Okay pal
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back