[Clips] interesting new feature on osx..!

R. A. Hettinga rah at shipwright.com
Mon Dec 26 21:44:57 PST 2005


--- begin forwarded text


 Delivered-To: clips at philodox.com
 Date: Tue, 27 Dec 2005 00:44:13 -0500
 To: "Philodox Clips List" <clips at philodox.com>
 From: "R. A. Hettinga" <rah at shipwright.com>
 Subject: [Clips] interesting new feature on osx..!
 Reply-To: rah at philodox.com
 Sender: clips-bounces at philodox.com

 This comes from the smartfriends list, apparently...

 Cheers,
 RAH

 --- begin forwarded text


 Date: Mon, 26 Dec 2005 16:38:59 -0800
 To: "R. A. Hettinga" <rah at shipwright.com>
 From: Vinnie Moscaritolo <vinnie at vmeng.com>
 Subject: interesting new feature on osx..!




 Content-Type: text/plain; charset="us-ascii" ; format="flowed"


 I just got a new PB 17 and noticed to my absolute terror that it
 seems to be performing some kind of new hibernation feature that
 writes out the contents of main memory to disk when going to sleep
 (the lack of which feature has long been a point of pride for Mac
 users in my eyes as it has always been the largest Windows security
 flaw known to man). It is doing this automatically without even
 asking me if I would like to sacrifice every semblance of security,
 and I have not found an option to turn it off. The implications of
 this are astronomical, and I need to get this feature completely
 removed so that there is no possibility it would ever occur. I would
 even switch laptops if this can't be disabled. Does anyone know yet
 how one might go about getting rid of this?

 Thanks.
 - Will


 _______________________________________________

 Will Price, wrote:
 >I just got a new PB 17 and noticed to my absolute terror that it
 >seems to be performing some kind of new hibernation feature that
 >writes out the contents of main memory to disk when going to sleep
 >(the lack of which feature has long been a point of pride for Mac
 >users in my eyes as it has always been the largest Windows security
 >flaw known to man).

 I thought that feature would only kick in when the machine is already
 asleep and in danger of losing its memory. Too bad.

 >Does anyone know yet
 >how one might go about getting rid of this?

 Probably the opposite of this:

 <http://www.macosxhints.com/article.php?story=20051114072358161>

 | Jonathan 'Wolf' Rentzsch   http://rentzsch.com
 | Red Shed Software           http://redshed.net
 |     "better" necessarily means "different"

 _______________________________________________

 On Dec 22, 2005, at 6:19 PM, Will Price wrote:
 >  The implications of
 >  this are astronomical, and I need to get this feature completely
 >  removed so that there is no possibility it would ever occur. I would
 >  even switch laptops if this can't be disabled. Does anyone know yet
 >  how one might go about getting rid of this?

 My first try would be to remove the has-safe-sleep property in Open
 Firmware.  Instructions on hacking it on are here:

 	http://www.andrewescobar.com/archive/2005/11/11/how-to-safe-sleep-
 your-mac/

 Presumably, a variation on this technique can force the property off
 on the latest PowerBooks.

 Barring that, Ebay your machine and get a reconditioned previous model.


 Amanda Walker

 _______________________________________________

 On Dec 22, 2005, at 15:19 PM, Will Price wrote:

 >  I just got a new PB 17 and noticed to my absolute terror that it
 >  seems to be performing some kind of new hibernation feature that
 >  writes out the contents of main memory to disk when going to sleep

 Excellent! All computers should do that, including desktops. I was
 beginning to worry that Mac OS X didn't have this basic and important
 feature, as does Windows.

 >  (the lack of which feature has long been a point of pride for Mac
 >  users in my eyes as it has always been the largest Windows security
 >  flaw known to man).

 It's called "virtual memory". RAM is constantly being written to
 disk. Am I missing something?

 Programs that wish to keep parts of RAM off of disk can request it--
 and should--but that is orthogonal to the rather simple idea of
 flushing pending writes to the backing store in case of power failure.

 Are you talking about something else?

 >  It is doing this automatically without even asking me if I would
 >  like to sacrifice every semblance of security, and I have not found
 >  an option to turn it off.

 You won't be able to turn of virtual memory. I assume that if you
 turn on encrypted VM backing store, that'll ease your mind:

 	System Preferences : Security : Use secure virtual memory

 If you aren't using that already, what happens at sleep is the least
 of your worries. Oh, and turn on FileVault to encrypt your files on
 disk, otherwise all your really important data will be trivially
 accessible through a FireWire cable and target disk mode -- what's in
 RAM is not usually the biggest security risk.

 _______________________________________________

 Amanda Walker suggested:
 >  On Dec 22, 2005, at 6:19 PM, Will Price wrote:
 >>  The implications of
 >>  this are astronomical, and I need to get this feature completely
 >>  removed so that there is no possibility it would ever occur. I would
 >>  even switch laptops if this can't be disabled. Does anyone know yet
 >>  how one might go about getting rid of this?
 >
 >  My first try would be to remove the has-safe-sleep property in Open
 >  Firmware.  Instructions on hacking it on are here:
 >
 > 	http://www.andrewescobar.com/archive/2005/11/11/how-to-safe-sleep-
 >  your-mac/
 >
 >  Presumably, a variation on this technique can force the property
 >  off on the latest PowerBooks.

 This worked:

 sudo pmset -a hibernatemode 0

 I suspect this will be a very popular command until a patch is issued
 which I certainly hope comes soon given the scale of this problem.

 Chris Page opined:
 >>  I just got a new PB 17 and noticed to my absolute terror that it
 >>  seems to be performing some kind of new hibernation feature that
 >>  writes out the contents of main memory to disk when going to sleep
 >
 >  Excellent! All computers should do that, including desktops. I was
 >  beginning to worry that Mac OS X didn't have this basic and important
 >  feature, as does Windows.

 Errr. Ya. Right. Sadly, I'm sure some marketing checkbox is
 responsible for this debacle.

 >>  (the lack of which feature has long been a point of pride for Mac
 >>  users in my eyes as it has always been the largest Windows security
 >>  flaw known to man).
 >
 >  It's called "virtual memory". RAM is constantly being written to
 >  disk. Am I missing something?
 >
 >  Programs that wish to keep parts of RAM off of disk can request it--
 >  and should--but that is orthogonal to the rather simple idea of
 >  flushing pending writes to the backing store in case of power failure.
 >
 >  Are you talking about something else?

 I wish it were like virtual memory, that has an encryption option at
 least. Unfortunately, it is a massive security flaw that completely
 bypasses virtual memory encryption even if it is on. At this point I
 almost regret bringing it up as further research has now revealed it
 really is a security flaw and I should probably be reporting this
 directly to Apple as a courtesy. However, I had not done that
 research when I asked my question.

 >>  It is doing this automatically without even asking me if I would
 >>  like to sacrifice every semblance of security, and I have not found
 >>  an option to turn it off.
 >
 >  You won't be able to turn of virtual memory. I assume that if you
 >  turn on encrypted VM backing store, that'll ease your mind:
 >
 > 	System Preferences : Security : Use secure virtual memory
 >
 >  If you aren't using that already, what happens at sleep is the least
 >  of your worries. Oh, and turn on FileVault to encrypt your files on
 >  disk, otherwise all your really important data will be trivially
 >  accessible through a FireWire cable and target disk mode -- what's in
 >  RAM is not usually the biggest security risk.

 No, it did not ease my mind because these features are totally
 unrelated.

 Run the strings command on /var/vm/sleepimage. That would be the 2GB
 file which appears to contain the contents of my entire main memory
 (wasting 2GB of space on the drive). That file is chock full of
 strings in English. It is not encrypted at all. It is not stored
 inside FileVault. It is just sitting there WIDE OPEN! I found
 passwords, emails, and all kinds of other stuff in this wonderful
 file, and I'm using not only everything you just mentioned but much
 more security software on this machine.

 This was an Apple oversight, pure and simple. This virtually secret
 feature, turned on by default without any notification on new
 machines, with no option to turn it off, that completely eliminates
 the usefulness of FileVault, encrypted VM, and any other security you
 might think you have, writing every bit of your main memory to
 unencrypted disk space, is.... I just don't have words for it. I'm
 extremely frustrated right now that I fell for this even for a week
 before catching telltale signs of this in my syslog.

 >  Does this feature write the data separately from the VM backing
 >  store? Does it circumvent VM backing store encryption?

 Sure does. Totally eliminating any benefit you may have thought you
 had from those features.

 >>>  It is doing this automatically without even asking me if I would
 >>>  like to sacrifice every semblance of security, and I have not found
 >>>  an option to turn it off.
 >>
 >>  You won't be able to turn of virtual memory. I assume that if you
 >>  turn on encrypted VM backing store, that'll ease your mind:
 >>
 >> 	System Preferences : Security : Use secure virtual memory
 >
 >  It has been explained to me that Will has mad security skilz, so I'm
 >  assuming the problem is that this isn't merely flushing to the VM
 >  backing store, but writing RAM to a different location sans
 >  encryption, is that it?
 >
 >  Still, I am firmly in favor of the basic idea of saving machine state
 >  in non-volatile storage -- securely, of course.

 I am glad you are in favor of it. Perhaps if it could be implemented
 in such a way that every semblance of security in the rest of the
 operating system was not thrown out the window at the same time, I
 might reconsider whether it was a good idea. For now, if I were at
 Apple, I would be setting off the red alert and finding who is
 responsible for this so that it can be fixed.

 Thanks.
 - Will


 _______________________________________________

 On Dec 23, 2005, at 4:32 AM, Will Price wrote:
 >  Run the strings command on /var/vm/sleepimage. That would be the 2GB
 >  file which appears to contain the contents of my entire main memory
 >  (wasting 2GB of space on the drive). That file is chock full of
 >  strings in English. It is not encrypted at all.

 I know the file contains many strings. Some of these strings are from
 my machine, and are non-generic. However, I'm not entirely sure it is
 all of main memory unencrypted. I don't know how the feature works
 entirely -- it probably uses some kind of caching to write only parts
 of memory to disk based on usage, but of course whatever is in use is
 what you would want encrypted. I do know it has many unencrypted
 strings. I used the laptop in Firewire target mode to make sure I
 could still read the contents of /var/vm/sleepimage. The file is also
 successfully unused once disabling the feature.



 _______________________________________________

 On Dec 23, 2005, at 3:17 AM, Chris Page wrote
 >  On Dec 23, 2005, at 00:07 AM, Chris Page wrote:
 >
 >>  It's called "virtual memory". RAM is constantly being written to
 >>  disk. Am I missing something?
 >
 >  Does this feature write the data separately from the VM backing
 >  store? Does it circumvent VM backing store encryption?

 Yes and yes.


 Amanda Walker

 _______________________________________________

 On Dec 23, 2005, at 3:29 AM, Chris Page wrote:
 >  It has been explained to me that Will has mad security skilz, so I'm
 >  assuming the problem is that this isn't merely flushing to the VM
 >  backing store, but writing RAM to a different location sans
 >  encryption, is that it?

 Correct.  And since the Mac doesn't currently support encrypting an
 entire partition, that different location is unencrypted, bypassing
 (as Will noted) FileVault, PGPDisk, encrypted VM, or whatever else
 you use.

 It also means that you can clone a machine's running state from a
 "cold disk" (or possibly just from Firewire disk mode, without even
 having to open the machine).  This is a definite security risk.

 And yes, most modern PCs have this problem as well, but making Macs
 vulnerability-compatible with PCs isn't necessarily a good thing :-).

 >  Still, I am firmly in favor of the basic idea of saving machine state
 >  in non-volatile storage -- securely, of course.

 Indeed.  I've been pestering Vinnie about PGP Whole Disk Encryption
 for Macs for a while now :-).  MacOS X could really use something
 like that or FreeBSD's GBDE.


 Amanda Walker

 _______________________________________________

 --

 Vinnie Moscaritolo                                          ITCB-IMSH
 PGP: 3F903472C3AF622D5D918D9BD8B100090B3EF042
 -------------------------------------------------------

 --- end forwarded text


 --
 -----------------
 R. A. Hettinga <mailto: rah at ibuc.com>
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 _______________________________________________
 Clips mailing list
 Clips at philodox.com
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'





More information about the cypherpunks-legacy mailing list