This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.

Cracking OS X Lion Passwords

Carl
Carl Just Me
in Lounge
Hot off the presses:





[b]Cracking OS X Lion Passwords[/b]



[url="http://www.defenceindepth.net/2011/09/cracking-os-x-lion-passwords.html"]http://www.defenceindepth.net/2011/09/cracking-os-x-lion-passwords.html[/url]





[b]OS X Lion passwords can be changed by any local user[/b]



[url="http://reviews.cnet.com/8301-13727_7-20108261-263/os-x-lion-passwords-can-be-changed-by-any-local-user/"]http://reviews.cnet.com/8301-13727_7-20108261-263/os-x-lion-passwords-can-be-changed-by-any-local-user/[/url]
Flag

Comments

  • Ben
    Ben AWS Team
    Nice! Thanks for the links Carl. Hopefully Apple gets on this quickly.



    For anyone wondering how this might affect 1Password... it doesn't, really. Your Master Password is used to encrypt your 1Password data. Without your Master Password, it is impossible to access your sensitive data.



    Still a pretty big "oops" on Apple's part. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/sad.png' class='bbc_emoticon' alt=':(' />
    Flag
  • jpgoldberg
    jpgoldberg Agile Customer Care
    Hi Carl,



    I've just been testing the bugs for myself (as well as the proposed work around). I'll post more when I've confirmed this.



    But as I just said in a very recent discussion, it looks like Apple did a particularly poor job with security in their revamping of Directory Services on Lion. Their really awful security problem with Lion, the LDAP authentication bug, also centers around Directory Services. (Note that the LDAP issue doesn't apply to most users, only those logging in against an LDAP server).



    Anyway, I'll go back to my testing for a bit.



    Cheers,



    -j
    Flag
  • Carl
    Carl Just Me
    [quote name='bwoodruff' timestamp='1316533887' post='50600']

    Nice! Thanks for the links Carl. Hopefully Apple gets on this quickly.



    For anyone wondering how this might affect 1Password... it doesn't, really. Your Master Password is used to encrypt your 1Password data. Without your Master Password, it is impossible to access your sensitive data.



    Still a pretty big "oops" on Apple's part. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/sad.png' class='bbc_emoticon' alt=':(' />

    [/quote]





    Yup, 1Password is not affected by this.



    Good thing you guys are not pushing people to upgrade to OS X Lion to run the latest version of 1Password... oh wait..... Doh!
    Flag
  • jpgoldberg
    jpgoldberg Agile Customer Care
    [quote name='Carl' timestamp='1316554203' post='50695']Good thing you guys are not pushing people to upgrade to OS X Lion to run the latest version of 1Password... oh wait..... Doh![/quote]



    As I'm sure you well know, 3.8 (which works on Snow Leopard) is being fully updated. Indeed, at the moment it contains improvements that haven't been released in 3.9.



    Anyway, back to topic. Restricting the use of dscl by setting its permissions so that it can't be executed looks like a reasonable temporary workaround. So in the Terminal,



    [code]sudo chmod 100 /usr/bin/dscl[/code]



    I don't know what other processes might try to call /usr/bin/dscl and be thrown off by this. So this is something that could cause some other difficulties, but I haven't encountered any yet.



    Cheers,



    -j
    Flag
  • F451
    F451 Pretzel Logistician
    edited September 2011
    [quote name='Carl' timestamp='1316554203' post='50695']

    Good thing you guys are not pushing people to upgrade to OS X Lion to run the latest version of 1Password... oh wait..... Doh!

    [/quote]

    Carl, you and I started here as the first forum moderators. AgileBits has always been good to me long after my leaving a moderator position of my own volition. Roustem has bent over backwards for me, being both generous, and gracious, under no obligation. Why all the hostility against the team's direction? AgileBits has not abandoned its base of original supporters—AgileBits simply undertook a necessary challenge (abiding by Apple's stringent guidelines regarding Safari or they would have never been accepted at the App Store) and they beat the pants off the challenge becoming what is now one of the best Safari extensions out there today. Sure, there are glitches, but they are being refined daily. AgileBits is one of the best Mac software developers on the playing field today; genuine good guys in a world ladened with crappy ones. Why not support them and let matters play themselves out as they inevitably will?



    There are many things that I disagree with regarding today's Apple, and there is nothing I can really do about that, but AgileBits will make betterments to their course if necessary, when and if the time comes that said betterments are required. Please give them the space and the opportunity to do so. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/skype_handshake.png' class='bbc_emoticon' alt='(handshake)' />



    P.S. Currently, I am not running Lion or the App Store as I have situations that forbid my doing so; 1P is working well for me in my existing environment and with the latest betas that 1P offers.
    Flag
  • jpgoldberg
    jpgoldberg Agile Customer Care
    I just wanted to report that while a number of write-ups of this issue are claiming that user A can change the password of user B without entering an existing password, I have not been able to replicate that.



    Cheers,



    -j
    Flag
  • Carl
    Carl Just Me
    [quote name='jpgoldberg' timestamp='1316572398' post='50737']

    I just wanted to report that while a number of write-ups of this issue are claiming that user A can change the password of user B without entering an existing password, I have not been able to replicate that.



    Cheers,



    -j

    [/quote]



    Interesting.



    Thanks for digging and reporting.
    Flag
  • Carl
    Carl Just Me
    [quote name='F451' timestamp='1316569675' post='50732']

    Carl, you and I started here as the first forum moderators. AgileBits has always been good to me long after my leaving a moderator position of my own volition. Roustem has bent over backwards for me, being both generous, and gracious, under no obligation. Why all the hostility against the team's direction? AgileBits has not abandoned its base of original supporters—AgileBits simply undertook a necessary challenge (abiding by Apple's stringent guidelines regarding Safari or they would have never been accepted at the App Store) and they beat the pants off the challenge becoming what is now one of the best Safari extensions out there today. Sure, there are glitches, but they are being refined daily. AgileBits is one of the best Mac software developers on the playing field today; genuine good guys in a world ladened with crappy ones. Why not support them and let matters play themselves out as they inevitably will?



    There are many things that I disagree with regarding today's Apple, and there is nothing I can really do about that, but AgileBits will make betterments to their course if necessary, when and if the time comes that said betterments are required. Please give them the space and the opportunity to do so. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/skype_handshake.png' class='bbc_emoticon' alt='(handshake)' />



    P.S. Currently, I am not running Lion or the App Store as I have situations that forbid my doing so; 1P is working well for me in my existing environment and with the latest betas that 1P offers.

    [/quote]





    First, read this post by Jonathan Rentzsch: [url="http://rentzsch.tumblr.com/post/592949476/c4-release"]http://rentzsch.tumblr.com/post/592949476/c4-release[/url]



    to put some context around that, see this link: [url="http://en.wikipedia.org/wiki/C4_(conference)"]http://en.wikipedia.org/wiki/C4_(conference)[/url]



    In a nutshell, what we are seeing happening now with 1Password is similar to this situation.



    I love Apple products and whenever I start feeling a little complacent in the Apple world, all it takes is some stick time on a Windows box to snap me back to reality and realize how good we have it.



    With that said, I don't always agree with everything Apple does. I understand there tight control on the mobile devices but when the iron fist comes to the desktop it creates deep fear in me in regards to the future. I realize that Jobs' goal from the beginning has pretty much been to turn the personal computer into an appliance but I never really thought that day would come.



    What has this got to do with 1Password? Well...when Agile is willing to go along with whatever Apple insists on to play in their space even to the detriment of the application and user base then I'm fairly passionate about it. Here is a big difference between Apple software and 3rd party software: Apple doesn't sell upgrades. (to my knowledge they never have) New iLife comes out and you pay full price to move to the new version. So the Mac App Store fits their model just fine. Apple also controls the OS so if their apps cannot do something they need, they don't have to hack anything, they just modify the OS.



    When I first came over from PC I was concerned about what application I would need to replace my Roboform for Windows. Many told me that Safari Auto-Fill with Keychain makes it a non-issue. However, that simply wasn't the case. Safari's auto-fill sucks. Sadly, that is what Apple would have you use. That is their solution to the problem of web password management. 1Password was born out of Apple's lack of real vision in this area (i.e. 1Password did what Apple WOULDN'T do) and wanting a Roboform for Mac. I think we both know the success that followed as a result. Why no other developers could figure out that browser integration was the key is beyond me.



    Personally, version 2 had pretty much everything I wanted in 1Password albeit the form-filling was terrible and basically hasn't got better to this day. Version 3 for me has really been about keeping up with the browser releases. Personally, I'm not sure there is much they could add in version 4.0 that would blow me away.



    So to come back full circle, I feel like Rentzsch a little bit and that Agile is bowing to Apple pressure too easily and in the end the product will become problematic. However, my biggest beef at the present is the Lion-only requirement to stay current when Lion was released less than 60 days ago. I personally feel as if I am being pressured into moving to Lion. Yes, I realize they have some nifty snippets explaining how that it isn't the case, but in my opinion that *is* the case.



    Finally, as you well know I had a past relationship with Agile and know quite a bit about how they think, do things, etc. There are those in Agile who.... well read these links:



    [url="http://www.bigisthenewsmall.com/2009/10/12/dont-get-high-on-your-own-supply/"]http://www.bigisthenewsmall.com/2009/10/12/dont-get-high-on-your-own-supply/[/url]



    I'll just say.. they love hearing the positives but don't ever want to hear the negatives. That's only MY opinion though which is worth little.



    So bottom line is that I would like to support Agile/1P but they are making it damn hard to do so lately.



    Peace
    Flag
  • jpgoldberg
    jpgoldberg Agile Customer Care
    Hey guys,



    Please keep the discussion in this Topic on topic.



    Thanks,



    -j
    Flag

Leave a Comment

Rich Text Editor. To edit a paragraph's style, hit tab to get to the paragraph menu. From there you will be able to pick one style. Nothing defaults to paragraph. An inline formatting menu will show up when you select text. Hit tab to get into that menu. Some elements, such as rich link embeds, images, loading indicators, and error messages may get inserted into the editor. You may navigate to these using the arrow keys inside of the editor and delete them with the delete or backspace key.

Comment As ...