* [TUHS] Re: Maintenance mode on AIX [not found] <zpdIicuX7AbN-y6hYho0eLOnHgzRs4iHa1UD6bxUyiTZhqZkg3Ha8TKWV ASxWkDZitFw0JIopRVh7BRC2PzLFrF_Gjsb2yCi-uxJ3Yr3AtE=@protonmail.com> @ 2023-01-18 20:04 ` Joseph J. Mankoski ***PSI*** 2023-01-19 3:56 ` steve jenkin 0 siblings, 1 reply; 10+ messages in thread From: Joseph J. Mankoski ***PSI*** @ 2023-01-18 20:04 UTC (permalink / raw) To: tuhs; +Cc: segaloco, tuhs Hello -- Regarding "appliance-ization" (locking down / dumbing down) of commercially-available computer systems, and returning to the history of Unix (in the context of our current era), I am reminded of Ken Thompson's (excellent and humorous) panel presentation at the ACM Turing 100 conference I attended in 2012, imagining Alan Turing being brought to our time and given a current-generation computer system, etc. The webcast links for the "Systems Architecture" session, etc., on the main conference site, https://turing100.acm.org/, seem to be broken, however the video at this link works for me: https://dl.acm.org/doi/10.1145/2322176.2322182 (Ken's part starts at ~0:09:28.) Cheers, ***PSI*** <<<psi@valis.com>>> tuhs-request@tuhs.org writes: [...] > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 18 Jan 2023 17:08:00 +0000 > From: segaloco <segaloco@protonmail.com> > Subject: [TUHS] Re: Maintenance mode on AIX > To: Clem Cole <clemc@ccc.com> > Cc: tuhs@tuhs.org > Message-ID: <zpdIicuX7AbN-y6hYho0eLOnHgzRs4iHa1UD6bxUyiTZhqZkg3Ha8TKWV > ASxWkDZitFw0JIopRVh7BRC2PzLFrF_Gjsb2yCi-uxJ3Yr3AtE=@protonmail.com> > Content-Type: multipart/alternative; > boundary="b1_7WKJsCnT0P2jggZLBLwbL2iRavDFXPykjXdIMPRs" > > Apple's unreasonable hardening has been the latest deterent to my ever wanting to use macOS as a personal driver. I've got a Mac as my daily driver for work, it can happily stay with work until I can decide how the filesystem is laid out and what folders I, as the root user, can and can't interact with from user land. I own my machine, not Apple. > > - Matt G. > ------- Original Message ------- > On Wednesday, January 18th, 2023 at 8:59 AM, Clem Cole <clemc@ccc.com> wrote: > >> On Wed, Jan 18, 2023 at 11:39 AM Larry McVoy <lm@mcvoy.com> wrote: >> >>> Someone once told me that if they had physical access to a Unix box, they >>> would get root. That has been true forever and it's even more true today, >>> pull the root disk, mount it on Linux, drop your ssh keys in there or add >>> a no password root or setuid a shell, whatever, if you can put your hands >>> on it, you can get in. >> >> A reasonable point, but I think it really depends on the UNIX implementation I suspect. Current mac OS is pretty well hardened from this, with their current enclaves and needing to boot home to Apple to get keys if things are not 100% right. Not saying you or I can not, but basically means the same cracking tricks you need to use for iPhones. It's not as easy as you describe. >> >> The ubiquitous Internet/WiFi changed the rules - as you can start to keep some set of keys somewhere else and then encrypt the local volumes. In fact, one of the things they do if mac OS boot detects that root has been modified (it has a crypto index stored away when it was made read-only), the boot rolls back to the last root snapshot -- since they are all read-only that works. In fact, it is a PITA to update/fix things like traditional scripts (for instance the scripts in the /etc/periodic area). Basically, they make it really unnatural to change the root files system, make a new snapshot and index (I have yet to see it documented although, with much pain, I previously created a procedure that is close -- i.e. it once worked on my pre-Ventura Mac - but currently -- fails, so I need to some more investigation when I can bring this back to the top of the importance/curiosity stack (I have a less than satisfying end around for now so I'm ignoring doing it properly). >> >> Clem >> ᐧ-------------- next part -------------- [...] > ------------------------------ [...] ^ permalink raw reply [flat|nested] 10+ messages in thread
* [TUHS] Re: Maintenance mode on AIX 2023-01-18 20:04 ` [TUHS] Re: Maintenance mode on AIX Joseph J. Mankoski ***PSI*** @ 2023-01-19 3:56 ` steve jenkin 0 siblings, 0 replies; 10+ messages in thread From: steve jenkin @ 2023-01-19 3:56 UTC (permalink / raw) To: TUHS; +Cc: Joseph J. Mankoski ***PSI*** To their credit, ACM have make the video available on Youtube <https://youtu.be/dsMKJKTOte0?t=551> Link includes intro to Ken for those wanting brevity. > On 19 Jan 2023, at 07:04, Joseph J. Mankoski ***PSI*** <psi@valis.com> wrote: > > Hello -- > > Regarding "appliance-ization" (locking down / dumbing down) of commercially-available computer systems, and returning to the history of Unix (in the context of our current era), I am reminded of Ken Thompson's (excellent and humorous) panel presentation at the ACM Turing 100 conference I attended in 2012, imagining Alan Turing being brought to our time and given a current-generation computer system, etc. > > The webcast links for the "Systems Architecture" session, etc., on the main conference site, https://turing100.acm.org/, seem to be broken, however the video at this link works for me: > > https://dl.acm.org/doi/10.1145/2322176.2322182 > > (Ken's part starts at ~0:09:28.) > > Cheers, > ***PSI*** > <<<psi@valis.com>>> -- Steve Jenkin mailto:sjenkin@canb.auug.org.au http://members.tip.net.au/~sjenkin ^ permalink raw reply [flat|nested] 10+ messages in thread
* [TUHS] AIX moved into maintainance mode @ 2023-01-18 9:43 arnold 2023-01-18 15:13 ` [TUHS] " arnold 0 siblings, 1 reply; 10+ messages in thread From: arnold @ 2023-01-18 9:43 UTC (permalink / raw) To: tuhs https://www.theregister.com/2023/01/17/unix_is_dead/ FYI. Arnold ^ permalink raw reply [flat|nested] 10+ messages in thread
* [TUHS] Re: AIX moved into maintainance mode 2023-01-18 9:43 [TUHS] AIX moved into maintainance mode arnold @ 2023-01-18 15:13 ` arnold 2023-01-18 15:14 ` Larry McVoy 0 siblings, 1 reply; 10+ messages in thread From: arnold @ 2023-01-18 15:13 UTC (permalink / raw) To: tuhs, arnold Interestingly enough, Phil Hughes, who founded Linux Journal in the early 1990s, predicted that this would happen one day. This was in a private conversation we had. I thought he was crazy, but he was right. arnold@skeeve.com wrote: > https://www.theregister.com/2023/01/17/unix_is_dead/ > > FYI. > > Arnold ^ permalink raw reply [flat|nested] 10+ messages in thread
* [TUHS] Re: AIX moved into maintainance mode 2023-01-18 15:13 ` [TUHS] " arnold @ 2023-01-18 15:14 ` Larry McVoy 2023-01-18 16:10 ` segaloco via TUHS 0 siblings, 1 reply; 10+ messages in thread From: Larry McVoy @ 2023-01-18 15:14 UTC (permalink / raw) To: arnold; +Cc: tuhs It makes perfect sense, it's a repeated story, commercial loses out to free. On Wed, Jan 18, 2023 at 08:13:13AM -0700, arnold@skeeve.com wrote: > Interestingly enough, Phil Hughes, who founded Linux Journal > in the early 1990s, predicted that this would happen one day. > This was in a private conversation we had. I thought he > was crazy, but he was right. > > arnold@skeeve.com wrote: > > > https://www.theregister.com/2023/01/17/unix_is_dead/ > > > > FYI. > > > > Arnold -- --- Larry McVoy Retired to fishing http://www.mcvoy.com/lm/boat ^ permalink raw reply [flat|nested] 10+ messages in thread
* [TUHS] Re: AIX moved into maintainance mode 2023-01-18 15:14 ` Larry McVoy @ 2023-01-18 16:10 ` segaloco via TUHS 2023-01-18 16:19 ` Larry McVoy 0 siblings, 1 reply; 10+ messages in thread From: segaloco via TUHS @ 2023-01-18 16:10 UTC (permalink / raw) To: Larry McVoy; +Cc: tuhs I just hope we'll see some attempts at opening up these code bases as time goes on. Seeing as they're no longer going to be pushing new copies and will eventually ramp down maintenance releases, opening up the source would give their end users the ability to potentially float their own improvements if they can't immediately migrate to Linux or BSD. That said, security implications of course, don't want to just hand bad actors a code base to comb for memory unsafety in. Also this article is BSD erasure :(, no mentions of the big three save that OpenServer and Darwin have chunks of FreeBSD in them. I guess Berkeley is just chopped liver... - Matt G. ------- Original Message ------- On Wednesday, January 18th, 2023 at 7:14 AM, Larry McVoy <lm@mcvoy.com> wrote: > It makes perfect sense, it's a repeated story, commercial loses out > to free. > > On Wed, Jan 18, 2023 at 08:13:13AM -0700, arnold@skeeve.com wrote: > > > Interestingly enough, Phil Hughes, who founded Linux Journal > > in the early 1990s, predicted that this would happen one day. > > This was in a private conversation we had. I thought he > > was crazy, but he was right. > > > > arnold@skeeve.com wrote: > > > > > https://www.theregister.com/2023/01/17/unix_is_dead/ > > > > > > FYI. > > > > > > Arnold > > > -- > --- > Larry McVoy Retired to fishing http://www.mcvoy.com/lm/boat ^ permalink raw reply [flat|nested] 10+ messages in thread
* [TUHS] Re: AIX moved into maintainance mode 2023-01-18 16:10 ` segaloco via TUHS @ 2023-01-18 16:19 ` Larry McVoy 2023-01-18 16:27 ` [TUHS] Maintenance mode on AIX Ron Natalie 0 siblings, 1 reply; 10+ messages in thread From: Larry McVoy @ 2023-01-18 16:19 UTC (permalink / raw) To: segaloco; +Cc: tuhs Pretty unrealistic to expect the users to suddenly have the time to do kernel dev. Solaris opened sourced itself and it's dead. It's a lot of work to maintain and evolve an OS. Windows, MacOS, and Linux seem like the future. As for BSD, they pretty much killed themselves by all the in-fighting and the lack of someone like Linus. That was obvious 30 years ago and it hasn't changed. That's why I switched from BSD to Linux. On Wed, Jan 18, 2023 at 04:10:34PM +0000, segaloco wrote: > I just hope we'll see some attempts at opening up these code bases as time goes on. Seeing as they're no longer going to be pushing new copies and will eventually ramp down maintenance releases, opening up the source would give their end users the ability to potentially float their own improvements if they can't immediately migrate to Linux or BSD. That said, security implications of course, don't want to just hand bad actors a code base to comb for memory unsafety in. > > Also this article is BSD erasure :(, no mentions of the big three save that OpenServer and Darwin have chunks of FreeBSD in them. I guess Berkeley is just chopped liver... > > - Matt G. > > ------- Original Message ------- > On Wednesday, January 18th, 2023 at 7:14 AM, Larry McVoy <lm@mcvoy.com> wrote: > > > > It makes perfect sense, it's a repeated story, commercial loses out > > to free. > > > > On Wed, Jan 18, 2023 at 08:13:13AM -0700, arnold@skeeve.com wrote: > > > > > Interestingly enough, Phil Hughes, who founded Linux Journal > > > in the early 1990s, predicted that this would happen one day. > > > This was in a private conversation we had. I thought he > > > was crazy, but he was right. > > > > > > arnold@skeeve.com wrote: > > > > > > > https://www.theregister.com/2023/01/17/unix_is_dead/ > > > > > > > > FYI. > > > > > > > > Arnold > > > > > > -- > > --- > > Larry McVoy Retired to fishing http://www.mcvoy.com/lm/boat -- --- Larry McVoy Retired to fishing http://www.mcvoy.com/lm/boat ^ permalink raw reply [flat|nested] 10+ messages in thread
* [TUHS] Maintenance mode on AIX 2023-01-18 16:19 ` Larry McVoy @ 2023-01-18 16:27 ` Ron Natalie 2023-01-18 16:38 ` [TUHS] " Larry McVoy 0 siblings, 1 reply; 10+ messages in thread From: Ron Natalie @ 2023-01-18 16:27 UTC (permalink / raw) To: tuhs The thread with a similar name reminds me of this story. My little company did a lot of special work for IBM (Federal Sector) from putting a second network card into Secure XENIX to porting the 370/PS2 AIX to two i860 cards. Occassionally, we’d get random other IBM hardware dropped on us. One day an RS/6000 showed up. The problem was that they didn’t give us any indication what the logins were (let alone the root password). Being the long time security “investigator” that I was I started poking around at the thing while waiting for IBM to call me back. The thing had a key switch that switched you from power OFF to NORMAL ot a WRENCH icon (maintenance mode). So I powered it up in the wrench mode. The thing booted up Unix but rather than a shell gave some maintenance program. I poked around at the options hoping for something that would be useful for me without luck. One option was to view the documentation so I brought that up and it displayed some text. The neat thing (for me) was that it used ‘more’ to paginate it. Sure enough, when I got to the end of the first page, I could just hit ! at the prompt and get a root shell. It was then pretty easy to get the machine set up to our liking. -Ron ^ permalink raw reply [flat|nested] 10+ messages in thread
* [TUHS] Re: Maintenance mode on AIX 2023-01-18 16:27 ` [TUHS] Maintenance mode on AIX Ron Natalie @ 2023-01-18 16:38 ` Larry McVoy 2023-01-18 16:59 ` Clem Cole 2023-01-18 20:34 ` Arno Griffioen via TUHS 0 siblings, 2 replies; 10+ messages in thread From: Larry McVoy @ 2023-01-18 16:38 UTC (permalink / raw) To: Ron Natalie; +Cc: tuhs On Wed, Jan 18, 2023 at 04:27:50PM +0000, Ron Natalie wrote: > Occassionally, we???d get random other IBM hardware dropped on us. One day > an RS/6000 showed up. The problem was that they didn???t give us any > indication what the logins were (let alone the root password). Being the > long time security ???investigator??? that I was I started poking around at > the thing while waiting for IBM to call me back. The thing had a key > switch that switched you from power OFF to NORMAL ot a WRENCH icon > (maintenance mode). So I powered it up in the wrench mode. The thing > booted up Unix but rather than a shell gave some maintenance program. I > poked around at the options hoping for something that would be useful for me > without luck. One option was to view the documentation so I brought that > up and it displayed some text. The neat thing (for me) was that it used > ???more??? to paginate it. Sure enough, when I got to the end of the first > page, I could just hit ! at the prompt and get a root shell. It was then > pretty easy to get the machine set up to our liking. Someone once told me that if they had physical access to a Unix box, they would get root. That has been true forever and it's even more true today, pull the root disk, mount it on Linux, drop your ssh keys in there or add a no password root or setuid a shell, whatever, if you can put your hands on it, you can get in. -- --- Larry McVoy Retired to fishing http://www.mcvoy.com/lm/boat ^ permalink raw reply [flat|nested] 10+ messages in thread
* [TUHS] Re: Maintenance mode on AIX 2023-01-18 16:38 ` [TUHS] " Larry McVoy @ 2023-01-18 16:59 ` Clem Cole 2023-01-18 17:08 ` segaloco via TUHS 2023-01-18 20:34 ` Arno Griffioen via TUHS 1 sibling, 1 reply; 10+ messages in thread From: Clem Cole @ 2023-01-18 16:59 UTC (permalink / raw) To: Larry McVoy; +Cc: tuhs [-- Attachment #1: Type: text/plain, Size: 1808 bytes --] On Wed, Jan 18, 2023 at 11:39 AM Larry McVoy <lm@mcvoy.com> wrote: > Someone once told me that if they had physical access to a Unix box, they > would get root. That has been true forever and it's even more true today, > pull the root disk, mount it on Linux, drop your ssh keys in there or add > a no password root or setuid a shell, whatever, if you can put your hands > on it, you can get in. > A reasonable point, but I think it really depends on the UNIX implementation I suspect. Current mac OS is pretty well hardened from this, with their current enclaves and needing to boot home to Apple to get keys if things are not 100% right. Not saying you or I can not, but basically means the same cracking tricks you need to use for iPhones. It's not as easy as you describe. The ubiquitous Internet/WiFi changed the rules - as you can start to keep some set of keys somewhere else and then encrypt the local volumes. In fact, one of the things they do if mac OS boot detects that root has been modified (it has a crypto index stored away when it was made read-only), the boot rolls back to the last root snapshot -- since they are all read-only that works. In fact, it is a PITA to update/fix things like traditional scripts (for instance the scripts in the /etc/periodic area). Basically, they make it really unnatural to change the root files system, make a new snapshot and index (I have yet to see it documented although, with much pain, I previously created a procedure that is close -- i.e. it once worked on my pre-Ventura Mac - but currently -- fails, so I need to some more investigation when I can bring this back to the top of the importance/curiosity stack (I have a less than satisfying end around for now so I'm ignoring doing it properly). Clem ᐧ [-- Attachment #2: Type: text/html, Size: 3048 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
* [TUHS] Re: Maintenance mode on AIX 2023-01-18 16:59 ` Clem Cole @ 2023-01-18 17:08 ` segaloco via TUHS 2023-01-18 17:21 ` Will Senn 0 siblings, 1 reply; 10+ messages in thread From: segaloco via TUHS @ 2023-01-18 17:08 UTC (permalink / raw) To: Clem Cole; +Cc: tuhs [-- Attachment #1: Type: text/plain, Size: 2258 bytes --] Apple's unreasonable hardening has been the latest deterent to my ever wanting to use macOS as a personal driver. I've got a Mac as my daily driver for work, it can happily stay with work until I can decide how the filesystem is laid out and what folders I, as the root user, can and can't interact with from user land. I own my machine, not Apple. - Matt G. ------- Original Message ------- On Wednesday, January 18th, 2023 at 8:59 AM, Clem Cole <clemc@ccc.com> wrote: > On Wed, Jan 18, 2023 at 11:39 AM Larry McVoy <lm@mcvoy.com> wrote: > >> Someone once told me that if they had physical access to a Unix box, they >> would get root. That has been true forever and it's even more true today, >> pull the root disk, mount it on Linux, drop your ssh keys in there or add >> a no password root or setuid a shell, whatever, if you can put your hands >> on it, you can get in. > > A reasonable point, but I think it really depends on the UNIX implementation I suspect. Current mac OS is pretty well hardened from this, with their current enclaves and needing to boot home to Apple to get keys if things are not 100% right. Not saying you or I can not, but basically means the same cracking tricks you need to use for iPhones. It's not as easy as you describe. > > The ubiquitous Internet/WiFi changed the rules - as you can start to keep some set of keys somewhere else and then encrypt the local volumes. In fact, one of the things they do if mac OS boot detects that root has been modified (it has a crypto index stored away when it was made read-only), the boot rolls back to the last root snapshot -- since they are all read-only that works. In fact, it is a PITA to update/fix things like traditional scripts (for instance the scripts in the /etc/periodic area). Basically, they make it really unnatural to change the root files system, make a new snapshot and index (I have yet to see it documented although, with much pain, I previously created a procedure that is close -- i.e. it once worked on my pre-Ventura Mac - but currently -- fails, so I need to some more investigation when I can bring this back to the top of the importance/curiosity stack (I have a less than satisfying end around for now so I'm ignoring doing it properly). > > Clem > ᐧ [-- Attachment #2: Type: text/html, Size: 3933 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
* [TUHS] Re: Maintenance mode on AIX 2023-01-18 17:08 ` segaloco via TUHS @ 2023-01-18 17:21 ` Will Senn 2023-01-18 19:50 ` David Barto 2023-01-19 14:25 ` Liam Proven 0 siblings, 2 replies; 10+ messages in thread From: Will Senn @ 2023-01-18 17:21 UTC (permalink / raw) To: segaloco, Clem Cole; +Cc: tuhs [-- Attachment #1: Type: text/plain, Size: 3359 bytes --] Wow, we're all over the place on this thread. I stopped updating my Mac with Mojave. Occasionally, I flirt with more recent incarnations and much like with recent Windows incarnations, I scurry back pretty quickly to the stable and fast. ... and Mojave support 32 bit apps, which is nice. It's fast, responsive, and locked down the way I like it. The mutually exclusive goals represented by security/it lockdown obsession and OS phone homeitis is ridiculous. One hopes that this is not a permanent set of affairs. I would prefer my OS to be under my control and secure my information, for me. Lately, I've been doing work with SculptOS on Genode - a capabilities based OS running on a microkernel (trusted computing base). Sculpts got a ways to go, but I like the way the architects are thinking. Will On 1/18/23 11:08 AM, segaloco via TUHS wrote: > Apple's unreasonable hardening has been the latest deterent to my ever > wanting to use macOS as a personal driver. I've got a Mac as my daily > driver for work, it can happily stay with work until I can decide how > the filesystem is laid out and what folders I, as the root user, can > and can't interact with from user land. I own my machine, not Apple. > > - Matt G. > ------- Original Message ------- > On Wednesday, January 18th, 2023 at 8:59 AM, Clem Cole <clemc@ccc.com> > wrote: > >> >> >> On Wed, Jan 18, 2023 at 11:39 AM Larry McVoy <lm@mcvoy.com> wrote: >> >> Someone once told me that if they had physical access to a Unix >> box, they >> would get root. That has been true forever and it's even more >> true today, >> pull the root disk, mount it on Linux, drop your ssh keys in >> there or add >> a no password root or setuid a shell, whatever, if you can put >> your hands >> on it, you can get in. >> >> A reasonable point, but I think it really depends on the UNIX >> implementation I suspect. Current mac OS is pretty well hardened from >> this, with their current enclaves and needing to boot home to Apple >> to get keys if things are not 100% right. Not saying you or I can >> not, but basically means the same cracking tricks you need to use for >> iPhones. It's not as easy as you describe. >> >> The ubiquitous Internet/WiFi changed the rules - as you can start to >> keep some set of keys somewhere else and then encrypt the local >> volumes. In fact, one of the things they do if mac OS boot detects >> that root has been modified (it has a crypto index stored away when >> it was made read-only), the boot rolls back to the last root snapshot >> -- since they are all read-only that works. In fact, it is a PITA to >> update/fix things like traditional scripts (for instance the scripts >> in the /etc/periodic area). Basically, they make it really unnatural >> to change the root files system, make a new snapshot and index (I >> have yet to see it documented although, with much pain, I previously >> created a procedure that is close -- i.e. it once worked on my >> pre-Ventura Mac - but currently -- fails, so I need to some more >> investigation when I can bring this back to the top of the >> importance/curiosity stack (I have a less than satisfying end around >> for now so I'm ignoring doing it properly). >> >> Clem >> ᐧ > [-- Attachment #2: Type: text/html, Size: 6811 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
* [TUHS] Re: Maintenance mode on AIX 2023-01-18 17:21 ` Will Senn @ 2023-01-18 19:50 ` David Barto 2023-01-19 14:25 ` Liam Proven 1 sibling, 0 replies; 10+ messages in thread From: David Barto @ 2023-01-18 19:50 UTC (permalink / raw) To: Will Senn; +Cc: segaloco, tuhs [-- Attachment #1: Type: text/plain, Size: 3964 bytes --] I think that the situation with MacOS is an (over) reaction to viruses, worms, and the end users themselves. In order to make sure that the normal user doesn’t do something silly to their system Apple has wound up restricting what the more advanced and knowledgeable user can do. I’m in an in-between camp. I like to install what I want and as long as I can do that, MacOS will work for me. And I like that Apple is working to stop the “bad guys” as much as possible. When installing what I want stops happening then I’ll stop upgrading. Until then I’m willing to ride the Apple train. David > On Jan 18, 2023, at 9:21 AM, Will Senn <will.senn@gmail.com> wrote: > > Wow, we're all over the place on this thread. I stopped updating my Mac with Mojave. Occasionally, I flirt with more recent incarnations and much like with recent Windows incarnations, I scurry back pretty quickly to the stable and fast. ... and Mojave support 32 bit apps, which is nice. It's fast, responsive, and locked down the way I like it. > > The mutually exclusive goals represented by security/it lockdown obsession and OS phone homeitis is ridiculous. One hopes that this is not a permanent set of affairs. I would prefer my OS to be under my control and secure my information, for me. > > Lately, I've been doing work with SculptOS on Genode - a capabilities based OS running on a microkernel (trusted computing base). Sculpts got a ways to go, but I like the way the architects are thinking. > > Will > > > On 1/18/23 11:08 AM, segaloco via TUHS wrote: >> Apple's unreasonable hardening has been the latest deterent to my ever wanting to use macOS as a personal driver. I've got a Mac as my daily driver for work, it can happily stay with work until I can decide how the filesystem is laid out and what folders I, as the root user, can and can't interact with from user land. I own my machine, not Apple. >> >> - Matt G. >> ------- Original Message ------- >> On Wednesday, January 18th, 2023 at 8:59 AM, Clem Cole <clemc@ccc.com> <mailto:clemc@ccc.com> wrote: >> >>> >>> >>> On Wed, Jan 18, 2023 at 11:39 AM Larry McVoy <lm@mcvoy.com <mailto:lm@mcvoy.com>> wrote: >>> Someone once told me that if they had physical access to a Unix box, they >>> would get root. That has been true forever and it's even more true today, >>> pull the root disk, mount it on Linux, drop your ssh keys in there or add >>> a no password root or setuid a shell, whatever, if you can put your hands >>> on it, you can get in. >>> A reasonable point, but I think it really depends on the UNIX implementation I suspect. Current mac OS is pretty well hardened from this, with their current enclaves and needing to boot home to Apple to get keys if things are not 100% right. Not saying you or I can not, but basically means the same cracking tricks you need to use for iPhones. It's not as easy as you describe. >>> >>> The ubiquitous Internet/WiFi changed the rules - as you can start to keep some set of keys somewhere else and then encrypt the local volumes. In fact, one of the things they do if mac OS boot detects that root has been modified (it has a crypto index stored away when it was made read-only), the boot rolls back to the last root snapshot -- since they are all read-only that works. In fact, it is a PITA to update/fix things like traditional scripts (for instance the scripts in the /etc/periodic area). Basically, they make it really unnatural to change the root files system, make a new snapshot and index (I have yet to see it documented although, with much pain, I previously created a procedure that is close -- i.e. it once worked on my pre-Ventura Mac - but currently -- fails, so I need to some more investigation when I can bring this back to the top of the importance/curiosity stack (I have a less than satisfying end around for now so I'm ignoring doing it properly). >>> >>> Clem >>> ᐧ >> > [-- Attachment #2: Type: text/html, Size: 8224 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
* [TUHS] Re: Maintenance mode on AIX 2023-01-18 17:21 ` Will Senn 2023-01-18 19:50 ` David Barto @ 2023-01-19 14:25 ` Liam Proven 1 sibling, 0 replies; 10+ messages in thread From: Liam Proven @ 2023-01-19 14:25 UTC (permalink / raw) To: tuhs On Wed, 18 Jan 2023 at 18:22, Will Senn <will.senn@gmail.com> wrote: > > Wow, we're all over the place on this thread. True! > I stopped updating my Mac with Mojave. Me too. I have some irreplaceable 32-bit apps. > I would prefer my OS to be under my control and secure my information, for me. I agree. *But* the thing is this, and I am theorizing here. Apple is trying to move to Arm-ISA Macs with its own very highly integrated chipset. This is imposing some issues. E.g. The M1 Macs can't boot from an external device if the internal one fails. You can't just put in a USB key and start from it. You can't just remove a failed drive, replace it, format it, reinstall the OS and keep going. https://apple.stackexchange.com/questions/437022/can-apple-silicon-based-mac-boot-from-unauthorized-external-drive They seem to lack the old 68K/PowerPC/x86 fairly clean separation between firmware and OS on a disk. They are, pretty much, the whole computer on a single SOC. The first SOC was the ARM250: CPU + GPU + memory controller. Then FPU and bus controllers and interfaces and things moved on board too. Now, the RAM is on board, and the SSD is also built in if not on the same die. It is extremely hard to replace/upgrade them, e.g. https://www.macrumors.com/2021/04/06/m1-mac-ram-and-ssd-upgrades-possible/ In a way the Arm Macs are sort of like iPads with external screens. It is also notable that there is _still_ no Arm-based Mac Pro: I don't think they've found a way to make their new architecture as modular, with external GPUs and an expansion bus. I suspect they won't be able to and eventually the Intel kit will quietly disappear with no direct replacement. So I think that Apple is trying to make the OS as *extremely* robust and tamper-proof as they can, because if that soldered-in-place disk gets scrambled or compromised, then the expensive hardware is basically toast. I don't like it either and I don't want an Arm-powered Mac for now... but I sort of understand what they are trying to do, I think. -- Liam Proven ~ Profile: https://about.me/liamproven Email: lproven@cix.co.uk ~ gMail/gTalk/FB: lproven@gmail.com Twitter/LinkedIn: lproven ~ Skype: liamproven UK: (+44) 7939-087884 ~ Czech [+ WhatsApp/Telegram/Signal]: (+420) 702-829-053 ^ permalink raw reply [flat|nested] 10+ messages in thread
* [TUHS] Re: Maintenance mode on AIX 2023-01-18 16:38 ` [TUHS] " Larry McVoy 2023-01-18 16:59 ` Clem Cole @ 2023-01-18 20:34 ` Arno Griffioen via TUHS 2023-01-18 20:50 ` Brad Spencer 1 sibling, 1 reply; 10+ messages in thread From: Arno Griffioen via TUHS @ 2023-01-18 20:34 UTC (permalink / raw) To: tuhs On Wed, Jan 18, 2023 at 08:38:40AM -0800, Larry McVoy wrote: > Someone once told me that if they had physical access to a Unix box, they > would get root. That has been true forever and it's even more true today, > pull the root disk, mount it on Linux, drop your ssh keys in there or add > a no password root or setuid a shell, whatever, if you can put your hands > on it, you can get in. Until a few years ago, I would definitely agree. Done that regularly in the past. (and worked on lots of network gear too...) However.. Nowadays with a little effort you can make a bootable Linux machine that uses either a passphrase or some external key/dongle/fingerprint/etc. to unlock an encrypted root fs and additional filesystems. If you don't have those credentials, then it's going to be pretty tricky to access as you simply can't even access any of the encrypted filesystems to start with. Yes, you could probably get the initrd booted with a root shell and then wipe the machine/disk to then do what you want, but the original install is getting pretty hard to jump into with boot tricks these days. Bye, Arno. ^ permalink raw reply [flat|nested] 10+ messages in thread
* [TUHS] Re: Maintenance mode on AIX 2023-01-18 20:34 ` Arno Griffioen via TUHS @ 2023-01-18 20:50 ` Brad Spencer 0 siblings, 0 replies; 10+ messages in thread From: Brad Spencer @ 2023-01-18 20:50 UTC (permalink / raw) To: tuhs Arno Griffioen via TUHS <tuhs@tuhs.org> writes: > On Wed, Jan 18, 2023 at 08:38:40AM -0800, Larry McVoy wrote: >> Someone once told me that if they had physical access to a Unix box, they >> would get root. That has been true forever and it's even more true today, >> pull the root disk, mount it on Linux, drop your ssh keys in there or add >> a no password root or setuid a shell, whatever, if you can put your hands >> on it, you can get in. > > Until a few years ago, I would definitely agree. Done that regularly > in the past. (and worked on lots of network gear too...) > > However.. > > Nowadays with a little effort you can make a bootable Linux machine that > uses either a passphrase or some external key/dongle/fingerprint/etc. > to unlock an encrypted root fs and additional filesystems. > > If you don't have those credentials, then it's going to be pretty tricky to > access as you simply can't even access any of the encrypted filesystems to > start with. > > Yes, you could probably get the initrd booted with a root shell and > then wipe the machine/disk to then do what you want, but the original > install is getting pretty hard to jump into with boot tricks these days. > > Bye, Arno. Yes++ ... I did something simular with NetBSD a few years ago. I booted a removable drive that asked for the passphrase to decrypt the real root filesystem.. the drive was removed and stored separately from the laptop when at rest. Today, I don't even need a removable drive any more, a ramdisk is attached to the kernel and unpacks itself upon boot and that asks for the passphrase. The root filesystem itself is more or less completely encrypted. Not quite full end to end, but very close. All you could really do is destroy the system, which may be good enough for some, but getting the information off of the encrypted filesystem would be hard. -- Brad Spencer - brad@anduin.eldar.org - KC8VKS - http://anduin.eldar.org ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2023-01-19 14:26 UTC | newest] Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <zpdIicuX7AbN-y6hYho0eLOnHgzRs4iHa1UD6bxUyiTZhqZkg3Ha8TKWV ASxWkDZitFw0JIopRVh7BRC2PzLFrF_Gjsb2yCi-uxJ3Yr3AtE=@protonmail.com> 2023-01-18 20:04 ` [TUHS] Re: Maintenance mode on AIX Joseph J. Mankoski ***PSI*** 2023-01-19 3:56 ` steve jenkin 2023-01-18 9:43 [TUHS] AIX moved into maintainance mode arnold 2023-01-18 15:13 ` [TUHS] " arnold 2023-01-18 15:14 ` Larry McVoy 2023-01-18 16:10 ` segaloco via TUHS 2023-01-18 16:19 ` Larry McVoy 2023-01-18 16:27 ` [TUHS] Maintenance mode on AIX Ron Natalie 2023-01-18 16:38 ` [TUHS] " Larry McVoy 2023-01-18 16:59 ` Clem Cole 2023-01-18 17:08 ` segaloco via TUHS 2023-01-18 17:21 ` Will Senn 2023-01-18 19:50 ` David Barto 2023-01-19 14:25 ` Liam Proven 2023-01-18 20:34 ` Arno Griffioen via TUHS 2023-01-18 20:50 ` Brad Spencer
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).