--- begin forwarded text Delivered-To: clips@philodox.com Date: Tue, 27 Dec 2005 00:44:13 -0500 To: "Philodox Clips List" <clips@philodox.com> From: "R. A. Hettinga" <rah@shipwright.com> Subject: [Clips] interesting new feature on osx..! Reply-To: rah@philodox.com Sender: clips-bounces@philodox.com This comes from the smartfriends list, apparently... Cheers, RAH --- begin forwarded text Date: Mon, 26 Dec 2005 16:38:59 -0800 To: "R. A. Hettinga" <rah@shipwright.com> From: Vinnie Moscaritolo <vinnie@vmeng.com> Subject: interesting new feature on osx..! Content-Type: text/plain; charset="us-ascii" ; format="flowed" I just got a new PB 17 and noticed to my absolute terror that it seems to be performing some kind of new hibernation feature that writes out the contents of main memory to disk when going to sleep (the lack of which feature has long been a point of pride for Mac users in my eyes as it has always been the largest Windows security flaw known to man). It is doing this automatically without even asking me if I would like to sacrifice every semblance of security, and I have not found an option to turn it off. The implications of this are astronomical, and I need to get this feature completely removed so that there is no possibility it would ever occur. I would even switch laptops if this can't be disabled. Does anyone know yet how one might go about getting rid of this? Thanks. - Will _______________________________________________ Will Price, wrote:
I just got a new PB 17 and noticed to my absolute terror that it seems to be performing some kind of new hibernation feature that writes out the contents of main memory to disk when going to sleep (the lack of which feature has long been a point of pride for Mac users in my eyes as it has always been the largest Windows security flaw known to man).
I thought that feature would only kick in when the machine is already asleep and in danger of losing its memory. Too bad.
Does anyone know yet how one might go about getting rid of this?
Probably the opposite of this: <http://www.macosxhints.com/article.php?story=20051114072358161> | Jonathan 'Wolf' Rentzsch http://rentzsch.com | Red Shed Software http://redshed.net | "better" necessarily means "different" _______________________________________________ On Dec 22, 2005, at 6:19 PM, Will Price wrote:
The implications of this are astronomical, and I need to get this feature completely removed so that there is no possibility it would ever occur. I would even switch laptops if this can't be disabled. Does anyone know yet how one might go about getting rid of this?
My first try would be to remove the has-safe-sleep property in Open Firmware. Instructions on hacking it on are here: http://www.andrewescobar.com/archive/2005/11/11/how-to-safe-sleep- your-mac/ Presumably, a variation on this technique can force the property off on the latest PowerBooks. Barring that, Ebay your machine and get a reconditioned previous model. Amanda Walker _______________________________________________ On Dec 22, 2005, at 15:19 PM, Will Price wrote:
I just got a new PB 17 and noticed to my absolute terror that it seems to be performing some kind of new hibernation feature that writes out the contents of main memory to disk when going to sleep
Excellent! All computers should do that, including desktops. I was beginning to worry that Mac OS X didn't have this basic and important feature, as does Windows.
(the lack of which feature has long been a point of pride for Mac users in my eyes as it has always been the largest Windows security flaw known to man).
It's called "virtual memory". RAM is constantly being written to disk. Am I missing something? Programs that wish to keep parts of RAM off of disk can request it-- and should--but that is orthogonal to the rather simple idea of flushing pending writes to the backing store in case of power failure. Are you talking about something else?
It is doing this automatically without even asking me if I would like to sacrifice every semblance of security, and I have not found an option to turn it off.
You won't be able to turn of virtual memory. I assume that if you turn on encrypted VM backing store, that'll ease your mind: System Preferences : Security : Use secure virtual memory If you aren't using that already, what happens at sleep is the least of your worries. Oh, and turn on FileVault to encrypt your files on disk, otherwise all your really important data will be trivially accessible through a FireWire cable and target disk mode -- what's in RAM is not usually the biggest security risk. _______________________________________________ Amanda Walker suggested:
On Dec 22, 2005, at 6:19 PM, Will Price wrote:
The implications of this are astronomical, and I need to get this feature completely removed so that there is no possibility it would ever occur. I would even switch laptops if this can't be disabled. Does anyone know yet how one might go about getting rid of this?
My first try would be to remove the has-safe-sleep property in Open Firmware. Instructions on hacking it on are here:
http://www.andrewescobar.com/archive/2005/11/11/how-to-safe-sleep- your-mac/
Presumably, a variation on this technique can force the property off on the latest PowerBooks.
This worked: sudo pmset -a hibernatemode 0 I suspect this will be a very popular command until a patch is issued which I certainly hope comes soon given the scale of this problem. Chris Page opined:
I just got a new PB 17 and noticed to my absolute terror that it seems to be performing some kind of new hibernation feature that writes out the contents of main memory to disk when going to sleep
Excellent! All computers should do that, including desktops. I was beginning to worry that Mac OS X didn't have this basic and important feature, as does Windows.
Errr. Ya. Right. Sadly, I'm sure some marketing checkbox is responsible for this debacle.
(the lack of which feature has long been a point of pride for Mac users in my eyes as it has always been the largest Windows security flaw known to man).
It's called "virtual memory". RAM is constantly being written to disk. Am I missing something?
Programs that wish to keep parts of RAM off of disk can request it-- and should--but that is orthogonal to the rather simple idea of flushing pending writes to the backing store in case of power failure.
Are you talking about something else?
I wish it were like virtual memory, that has an encryption option at least. Unfortunately, it is a massive security flaw that completely bypasses virtual memory encryption even if it is on. At this point I almost regret bringing it up as further research has now revealed it really is a security flaw and I should probably be reporting this directly to Apple as a courtesy. However, I had not done that research when I asked my question.
It is doing this automatically without even asking me if I would like to sacrifice every semblance of security, and I have not found an option to turn it off.
You won't be able to turn of virtual memory. I assume that if you turn on encrypted VM backing store, that'll ease your mind:
System Preferences : Security : Use secure virtual memory
If you aren't using that already, what happens at sleep is the least of your worries. Oh, and turn on FileVault to encrypt your files on disk, otherwise all your really important data will be trivially accessible through a FireWire cable and target disk mode -- what's in RAM is not usually the biggest security risk.
No, it did not ease my mind because these features are totally unrelated. Run the strings command on /var/vm/sleepimage. That would be the 2GB file which appears to contain the contents of my entire main memory (wasting 2GB of space on the drive). That file is chock full of strings in English. It is not encrypted at all. It is not stored inside FileVault. It is just sitting there WIDE OPEN! I found passwords, emails, and all kinds of other stuff in this wonderful file, and I'm using not only everything you just mentioned but much more security software on this machine. This was an Apple oversight, pure and simple. This virtually secret feature, turned on by default without any notification on new machines, with no option to turn it off, that completely eliminates the usefulness of FileVault, encrypted VM, and any other security you might think you have, writing every bit of your main memory to unencrypted disk space, is.... I just don't have words for it. I'm extremely frustrated right now that I fell for this even for a week before catching telltale signs of this in my syslog.
Does this feature write the data separately from the VM backing store? Does it circumvent VM backing store encryption?
Sure does. Totally eliminating any benefit you may have thought you had from those features.
It is doing this automatically without even asking me if I would like to sacrifice every semblance of security, and I have not found an option to turn it off.
You won't be able to turn of virtual memory. I assume that if you turn on encrypted VM backing store, that'll ease your mind:
System Preferences : Security : Use secure virtual memory
It has been explained to me that Will has mad security skilz, so I'm assuming the problem is that this isn't merely flushing to the VM backing store, but writing RAM to a different location sans encryption, is that it?
Still, I am firmly in favor of the basic idea of saving machine state in non-volatile storage -- securely, of course.
I am glad you are in favor of it. Perhaps if it could be implemented in such a way that every semblance of security in the rest of the operating system was not thrown out the window at the same time, I might reconsider whether it was a good idea. For now, if I were at Apple, I would be setting off the red alert and finding who is responsible for this so that it can be fixed. Thanks. - Will _______________________________________________ On Dec 23, 2005, at 4:32 AM, Will Price wrote:
Run the strings command on /var/vm/sleepimage. That would be the 2GB file which appears to contain the contents of my entire main memory (wasting 2GB of space on the drive). That file is chock full of strings in English. It is not encrypted at all.
I know the file contains many strings. Some of these strings are from my machine, and are non-generic. However, I'm not entirely sure it is all of main memory unencrypted. I don't know how the feature works entirely -- it probably uses some kind of caching to write only parts of memory to disk based on usage, but of course whatever is in use is what you would want encrypted. I do know it has many unencrypted strings. I used the laptop in Firewire target mode to make sure I could still read the contents of /var/vm/sleepimage. The file is also successfully unused once disabling the feature. _______________________________________________ On Dec 23, 2005, at 3:17 AM, Chris Page wrote
On Dec 23, 2005, at 00:07 AM, Chris Page wrote:
It's called "virtual memory". RAM is constantly being written to disk. Am I missing something?
Does this feature write the data separately from the VM backing store? Does it circumvent VM backing store encryption?
Yes and yes. Amanda Walker _______________________________________________ On Dec 23, 2005, at 3:29 AM, Chris Page wrote:
It has been explained to me that Will has mad security skilz, so I'm assuming the problem is that this isn't merely flushing to the VM backing store, but writing RAM to a different location sans encryption, is that it?
Correct. And since the Mac doesn't currently support encrypting an entire partition, that different location is unencrypted, bypassing (as Will noted) FileVault, PGPDisk, encrypted VM, or whatever else you use. It also means that you can clone a machine's running state from a "cold disk" (or possibly just from Firewire disk mode, without even having to open the machine). This is a definite security risk. And yes, most modern PCs have this problem as well, but making Macs vulnerability-compatible with PCs isn't necessarily a good thing :-).
Still, I am firmly in favor of the basic idea of saving machine state in non-volatile storage -- securely, of course.
Indeed. I've been pestering Vinnie about PGP Whole Disk Encryption for Macs for a while now :-). MacOS X could really use something like that or FreeBSD's GBDE. Amanda Walker _______________________________________________ -- Vinnie Moscaritolo ITCB-IMSH PGP: 3F903472C3AF622D5D918D9BD8B100090B3EF042 ------------------------------------------------------- --- end forwarded text -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' _______________________________________________ Clips mailing list Clips@philodox.com http://www.philodox.com/mailman/listinfo/clips --- end forwarded text -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'