One of the Most Novice Security Bugs Ever?
Testing and Validation
When I taught software development, my students would show me the running program, and told me that it worked. But I used to say 'What happens when I don't enter any characters there?", or what happens if I keep the 'a' key pressed down and enter 1,000s of characters?". Often they would say, "I don't know!", and I'd say ... "but didn't you test it?", "Yes!", "But you haven't tested it for all the conditions!", and often I'd go ahead and crash their program (as we used C, and they had only reserved a few characters for the input).
These days you often spend as much time testing a program than you do in actually writing it. The tests should involve valid and invalid input, and these tests should run on every release. A basic one is to test for the NULL input for a password or and see if that corrupts the operation.
The most novice of bugs?
I love my Macbook, and I now struggle to use Windows 10, as I find it over bloated and illogical. I feel safe with it, and know that the phishing emails will often have no effect on me. I also like it, as it has a version of Unix/Linux-like operating system (ported from Steve's NeXt system) underneath, and I can "ls", " ", and "find" to my heart's content, as typing commands what I do. I can run Python directly, and it runs Linux Kali, Windows 7, Ubuntu, and any other operating system that I want. I once gave a presentation to 400 and opened up my laptop, and it said ...
"Updating Windows 10. Ready in 20 minutes. Do not shutdown" ...
I then had to do my presentation without any slides. After that day, I decided never to rely on Microsoft Windows ever again for a presentation. On a day-to-day basis, I only ever use Microsoft Windows to run Visual Studio and Visio, as they are the only two applications that need Windows to run properly.
Steve Jobs made the decision to move to Linux and to the Intel x86 architecture, as Apple struggling as a company to innovate both with their operating systems and with their hardware. The move allowed Apple to concentrate on the things that really matter ... the user. They basically got it correct, and Mac OSX has always led from the and has required few major updates.
The genius of Spotlight and the amazing and the robustness of the metal have never been equalled on a Windows-based computer.
And so I am shocked that Apple allowed the "root" user account to slip through without any password. you access the "root" account and then press Enter a few times, and you by-pass
Surely that is one of the most basic tests that you would do on your operating system ... and can be easily automated? For a company who have pushed forward on multi-factor authentication and who integrate security across devices, this bug is one of the most embarrassing that I've ever seen! Apple is normally fast with updates and they are often ... so I expect that I'll see an update later today ... if not, then I will know they have a major problem that needs a bit of thinking about.
Enterprise Architect : Requirements Engineer : Systems Integration : Knowledge Operations : Solutions Consultant
7 年The root user account is not intended for routine use. Its privileges allow changes to files that are required by your Mac. To undo such changes, you might need to reinstall your system software. You should disable the root user after completing your task.