State of MacOS in light of the root password bug

Discussion in 'macOS High Sierra (10.13)' started by parseckadet, Dec 4, 2017.

  1. parseckadet macrumors 6502a

    parseckadet

    Joined:
    Dec 13, 2010
    Location:
    Denver, CO
    #1
    I wanted to get everyone's take on how they feel about MacOS now that the dust has settled after the root password bug last week. Here's what I'm struggling with: How can I honestly recommend to someone that they buy a Mac if we can't trust Apple to not release major security flaws?

    Let me explain that statement a little further. I understand perfectly well that security vulnerabilities happen, and are to a certain degree inevitable. However, I feel like we also need to hold software and hardware makers to a higher degree of responsibility than we currently do. I started using MacOS 17 years ago partly because I had confidence that it would be more secure than the alternatives. But last week's bug was so massive, and so boneheaded, that I have a hard time continuing the believe that anymore. Especially when you take into consideration the large strides Microsoft has taken in the last several years.

    Here's another way to put it. My mother is looking to upgrade her laptop. Currently she has a PC running Windows 10. I've been telling her for months that she should get a Mac because it's more secure. But how can anyone say that anymore with a straight face when you now have to preface such statements with "even though they just had the worst security vulnerability that I can remember."
     
  2. ncrypt macrumors regular

    Joined:
    May 16, 2012
    Location:
    UK
    #2
    Bugs happen. Let's not forget Heartbleed which affected every(?) SSL website a few years ago (http://heartbleed.com)

    Even though this root bug was absolutely awful, we should also judge Apple based upon how they respond to security issues. Considering they pushed a patch that installed for everyone within 24 hours, I'd say that should give you some faith.

    In my opinion.
     
  3. Ritsuka macrumors 6502a

    Joined:
    Sep 3, 2006
    #3
    I think you should look at the whole sad state of security issues, and cry a little: https://cve.mitre.org

    There are much worse issues out there.
     
  4. Merlyn3D macrumors 6502

    Joined:
    May 15, 2006
    #4
    Should we not judge Apple based on how they managed to ship such an obvious bug to begin with? Even a little? Don’t forget this is the richest company in the world. They should have no trouble paying more for QA/testing. They should have both their code and their organization set up in such a way that they would greatly reduce the chances of this bug ever being released. After last week I’m skeptical, and I’ve invested a lot in Apple hardware and software.
     
  5. parseckadet thread starter macrumors 6502a

    parseckadet

    Joined:
    Dec 13, 2010
    Location:
    Denver, CO
    #5
    I will say this, I'm not in the camp that thinks Apple's QA should be lambasted for not catching this. My reasoning here comes down to the excellent example known as Horace's Horror.

    But, I DO think that the developer(s) responsible need to be held to account. Not that they should be fired mind you. It all depends on the circumstances.
     
  6. ApfelKuchen macrumors 68030

    Joined:
    Aug 28, 2012
    Location:
    Between the coasts
    #6
    Yes, I appreciate your dilemma. If the only reason you had for advising your mother to switch to Mac was security, then you may need some time for Apple to re-earn your trust.

    Personally, I would not advise someone to switch platforms solely for the sake of security. There are so many "pain" factors at play - learning curve, data migration, app compatibility, cost... that there should be several positive motivating factors for making the switch, not just one.

    Presuming you do have several other justifications for putting Mom through this switch, does that switch still make sense if you scratch security off the list altogether?
     
  7. rayward macrumors 68000

    Joined:
    Mar 13, 2007
    Location:
    Houston, TX
    #7
    Apple started devolving into Microsoft before Jobs' body was even cold. It's shocking to me how fast they switched to being the just another tech company that rushes product to market and lets the public be beta testers. I have yet to upgrade to High Sierra and I am not sure when I will.

    My iMac is getting a little long in the tooth. They just ended support for the 2011 Mac Mini so it's only a matter of time before my mid-2010 iMac goes the same way. The trouble is, I do not have any interest on spending $1500 minimum (for a 2015 refurb), especially as I'd have to go through the bother of swapping out the HDD in order to store my media.

    I can get an all-in-one HP for half the price of a comparable iMac, with a 4TB HDD and BluRay player all built in. It is a testament the Apple's fall from grace that someone as invested in the Apple ecosystem as me (just look at my sig.) is looking away from Apple for my desktop and my phone. Switching horses for either one will likely drive the switch for the other.
     
  8. simonsi macrumors 601

    simonsi

    Joined:
    Jan 3, 2014
    Location:
    Auckland
    #8
    Unless you are only happy to recommend perfect products (good luck with that), then you have to ask yourself which major-security-flaw-free OS <would> you recommend? As far as I can see that macOS bug was discovered and patched way before it could usefully be exploited.

    In the real world Apple still lead the pack IMHO. YMMV
     
  9. r.harris1 macrumors 6502a

    r.harris1

    Joined:
    Feb 20, 2012
    Location:
    Denver, Colorado, USA
    #9
    Sure, that's certainly fair to do since it was certainly a miss. Once you're done judging though, what's your recommended path forward? Move to another OS? I'm not sure what that would buy anyone unless there were compelling usability or functionality needs the OS provided, which might be true but up to each individual based on their needs. All OSs have the potential to ship major security vulnerabilities. Not excusing Apple here, just a fact of software development, regardless of the dollars and people you throw at it (and more is rarely better, by the way).
     
  10. Heruhur macrumors member

    Heruhur

    Joined:
    Apr 4, 2017
    Location:
    Zwolle
    #10
    I think it's all being exaggerated a bit. (not the security bug, but the commotion around it)
    A Win10 bug of the same magnitude would be news as well, but the masses will shrug and continue.
    Apple has had a name of being more secure. So when it has a security bug, it's like bees to honey.
    So when they have a bug, it's a disaster of biblical proportions, fire and brimstone coming down from the skies, rivers and seas boiling, 40 years of darkness, earthquakes, volcanoes, the dead rising from the grave, human sacrifice, dogs and cats living together, mass hysteria!

    While an obvious leak, it just happens, to every OS at some time.
    The only way to avoid mistakes is not doing anything at all.
    It got a fix very fast, so I'd give them the benefit of the doubt.
     
  11. r.harris1 macrumors 6502a

    r.harris1

    Joined:
    Feb 20, 2012
    Location:
    Denver, Colorado, USA
    #11
    Sounds like for you, your value proposition is based on immediate cost and specs for certain components you need and isn't related to any specific OS or ecosystem, which is certainly fair. Having come the other direction (Windows to Mac) some years ago, I can tell you that in moving ecosystems there's a definite investment in time, security issues on the move-to OS, quality issues on the move-to OS, whichever it is, at any given point in time.
     
  12. rayward macrumors 68000

    Joined:
    Mar 13, 2007
    Location:
    Houston, TX
    #12
    I'm just not sure I see the value in paying the premium for Apple products any more. I have an HP laptop for work, and it's a thoroughly decent machine (with every type of port you can think of so never a dongle required).
     
  13. fisherking macrumors 603

    fisherking

    Joined:
    Jul 16, 2010
    Location:
    ny somewhere
    #13
    and no one's stopping you from using your HP. but be prepared, both OS's will undoubtedly have bad moments, vulnerable moments, errors, bugs... etc. it's the nature of software.

    how many reported disasters were there based on the root password issue? and where in the world is everything safe, and perfect?

    am sticking with mac os... but honestly, whatever works...
     
  14. r.harris1 macrumors 6502a

    r.harris1

    Joined:
    Feb 20, 2012
    Location:
    Denver, Colorado, USA
    #14
    Yep, like I indicated, sounds like that HP is the right one for you given the things you value (legacy ports, blue ray, etc). That's what I love about the current state of tech - there's usually something for everyone.
     
  15. SoCalReviews, Dec 5, 2017
    Last edited: Dec 5, 2017

    SoCalReviews macrumors 6502

    Joined:
    Dec 31, 2012
    #15
    It's been a rough week for Apple but at least the security issues are being dealt with fairly quickly as they are being discovered. It's always the unseen and unknown bugs lurking under the surface that bite the hardest. Fortunately we really haven't seen many of those lately on MacOS that had a chance to be exploited or at least nothing on the magnitude of the last big MS Windows security flaw to surface that brought down numerous companies world wide with ransomware. Despite the recent high profile problems with High Sierra bugs I still lean towards MacOS for security and reliability.
     
  16. 960design macrumors 68030

    Joined:
    Apr 17, 2012
    Location:
    Destin, FL
    #16
    First: Yes it was a serious oversight, no question, many people dropped the ball on this.
    Grand Scheme: What could you do with the root password oversight? Log into the computer? Physical access to your Mac and most anyone can log in to it in 30 seconds. Oddly enough, it takes about two minutes to reset a Windows10 admin password ( probably due to slower OS <-- could not resist the easy ribbing ).

    Notice that I mentioned 'physical access'. Remote access to macs are darn near impossible; except through public wifi social engineering. Mac still has one of the safest OS on the market ( barring AS/400, Solaris and some Linux distros ).

    I still feel safe recommending a Mac to my mother, even though she still buys Dells running Windows every few years and still pays for AOL. I love my mom.
     
  17. whooleytoo macrumors 604

    whooleytoo

    Joined:
    Aug 2, 2002
    Location:
    Cork, Ireland.
    #17
    You're spot-on. This isn't something that would have been caught in QA. "Leave the password blank, click into it, press Enter multiple times" is not a normal test-case. If anyone thinks it should be, then I've a few billion other test cases that need to be also added to the list.

    I'm never really a fan of chucking the developer under the bus (disclaimer: I'm a developer). Every person makes mistakes, it's down to the processes, checks and balances to make sure everything is double/triple-checked to catch those rare mistakes.

    In this case, all code should be peer-reviewed by a competent developer/team. Authentication code is extremely fault-intolerant, so that code should have been one of the areas focused upon.
     
  18. Since1987 macrumors regular

    Joined:
    Feb 23, 2016
    #18
    There is nobody left at Apple that cares about MacOS. This is only one of a 1000 ways they show it. MacOS is the crazy grandpa that gripes about passe' concepts like "work" , "features", "productivity" and "security". And IveCook want to put MacOS in a nursing home... ASAP!

    This is a company who is currently running iPad ads that say "what's a computer?". IveCook obviously HATE computers and wish they would go away. After being shamed by a shareholder they grudgingly announced they would keep making computers, not in a very convincing way though.

    iMac Pro.... it's December. It's almost Xmas.... perhaps they would like to release it and sell some??
    MacMini ..... dead. Stop kidding yourself.
    Mac Pro .... still just a rumour. I believe they will ultimately say "The iMac Pro is our "Pro" computer. If that's not good enough for you, (bleep) off!"
    MacBook Pro ... an embarrassment. It's like a covert attempt to move you onto a iPad Pro.

    Apple is a company that makes phones, iPads ( just an overgrown phone ), and Beats products ( the real reason the headphone jack was removed ). ONE product, and accessories for it. Stock Price is great now, but your ONE product can fall out of fashion and you can go away... like Blackberry.
     
  19. fisherking macrumors 603

    fisherking

    Joined:
    Jul 16, 2010
    Location:
    ny somewhere
    #19
    thanks for the informative post! speculation, whining, and conspiracy theories are so much more useful than facts...
     
  20. PizzaBoxStyle macrumors 6502

    Joined:
    Dec 11, 2014
    Location:
    Apple HQ Cupterino Spaceship
    #20
    Its gonna take a miracle for Apple to not go totally moribund, PanAm style, once their ONE product falls out of fashion (as you say). It'll be long, drawn out and very painful.

    And all of the people who they've pissed off, and pissed on, over the years will come out to fan the flames.
     
  21. SoCalReviews macrumors 6502

    Joined:
    Dec 31, 2012
    #21
    Ha ha!!! for a moment I could have sworn you were talking about MS. :D
     
  22. 370zulu macrumors regular

    370zulu

    Joined:
    Nov 4, 2014
    Location:
    Cincinnati, Ohio
    #22
    Just my opinion here...

    I have been in IT for about 27 years and this is the state of IT in general. No OS or device is perfect and even with the most thorough change control measures and version control of code, sometimes bugs slip through to deployment it seems. It just happens. Specifically, I work on AIX, HP-UX and RHEL and SUSE Linux and have seen some pretty sad bugs in my time. Things you would think "Now how the hell did that get past QC". I've witnessed people lose their job for stupid mistakes. It sucks. Some companies will use a mistake as a learning opportunity, some reprimand and others just cut the employee lose. I think it has a lot to do with company culture and perhaps their fear of a wrongful termination lawsuit coming from the fired employee.

    I like Linux a lot. It has a lot to offer in my case. I could use Linux at home for my primary OS, but I choose macOS and for the most part, I don't have ecosystem and mobile support issues. Windows is a whole other charlie foxtrot. I no longer support Windows OS for friends and family whatsoever. If I never have to sit at a keyboard where Windows is installed, it would be too soon. I don't have the patience to deal with the clown show that Windows is. As far as devices - how about the train wreck that is Android? What a complete charlie foxtrot. Even with the awful experience I had with iOS 11, I would use a flip phone before I ever have another Android.

    I hope Apple continues to do their best and correct the mistakes as they make them in a quick manner.
     
  23. neliason macrumors 6502

    Joined:
    Oct 1, 2015
    #23
    The more I think about it while embarrassing this wasn’t that bad. The bug itself was not exploitable or a real risk to most users. You needed physical access to the machine. And for most people you needed a logged in account.

    If you want security more than anything Debian is good. But it is good because it has lots of features turned off. It is good because a fresh install can’t do a lot of the things we want a modern computer to do.

    Operating systems exist to accomplish task for us and make life easier. Perfect security is unobtainable. Greater concern for security will be a trade off for more functionality and ease of use.

    Well it wasn’t a test case. It is now! QA tests are often created in response to a past failure.
     
  24. Merlyn3D macrumors 6502

    Joined:
    May 15, 2006
    #24
    I’m not sure where you read that it wasn’t remotely exploitable, but it absolutely was...over Remote Desktop no less. There are several videos on twitter or YouTube showing exactly this. It was bad.
     
  25. neliason macrumors 6502

    Joined:
    Oct 1, 2015
    #25
    True. But you have to have Remote Desktop and root logon enabled, right? How many people have both enabled? I wouldn’t think most, but I could be wrong. But considering your point I should revise my assessment. It was very bad.
     

Share This Page