macOS bug gives you password-free admin access

In quite the security slip-up, Apple's latest version of macOS, High Sierra, lets anyone get full administrator accounts with no passwords or messing around. All you need to do is put 'root' in the username field, then hit enter and you're in.

The issue is of concern because there's a two key attack vectors here:

  • Malware attacks on a machine could easily use this to gain root-level access to your files
  • Any signed-in user (even a guest) can use it to escalate themselves to administrator
  • VNC screen-sharing is particularly vulnerable, as remote users can now log in easily

If your machine is off or locked, provided you have FileVault encryption enabled (please tell me you do) it won't be exposed. 

The bad news: the bug isn't patched. Apple only found out about it via a tweet that asked a question to the company's support account, and is readying a fix as of yesterday. The good news: there's a simple fix: manually setting a root password until the fix is issued and you'll find the steps for this here.

This is a weird one because it shows a particular lack of testing on Apple's part, and it's difficult to explain how the issue regressed from Sierra's release to High Sierra outside of a sloppy review process. More than anything else, it's just not what you expect especially as the Mac narrative has long been that the system is more secure.

With persisting rumors that the macOS team has been disbanded, it could be a side effect of Apple just not paying as much attention to the detail here instead, or it could be an innocent mistake. Either way, not a great look for the company, even if it's trying to convince us all the iPad is the future anyway.


Waymo vs Uber delayed after new revelations

Google's self-driving car startup, Waymo, has been embroiled in a battle with Uber's self-driving truck startup, Otto, for months now after an employee was accused of stealing Google's technology and essentially replicating it for Uber.

Now there's a new revelation in the case: a former Uber employee has come forward and sworn on the record that an internal team called Marketplace Analytics is tasked with the job of stealing trade secrets and gathering "other intelligence" from competitors using any means necessary. 

That team used tactics such as purposefully seeking out code made accidentally available on GitHub by competitors, and were required to use encrypted, ephemeral communications internally to ensure there wasn't a trace of their activities. 

The judge in the case had brutal words for Uber's defense on Tuesday, as a result of discovering these revelations, particularly as their own lawyers admitted they didn't know about the practice:

"The server turns out to be for dummies, that’s where the stuff that doesn’t matter shows up. The stuff that does matter is going to be in the Wickr evaporate file [...] any company that would set up such a surreptitious system is as suspicious as can be," adding "You’re making the impression that this is a total cover up."

On top of this, there's a new, sealed letter that's thrown the lawsuit into disarray, sent by the Uber employee, Ric Jacobs, internally earlier this year. The letter, which is 37-pages long was obtained by the court all the way back on the 22nd on November and was expected to be unsealed today, but wasn't, due to the "nature of the allegations" — and now we're left wondering what's inside it.

This case is going to go on for a long time and may prove to reveal much more about Uber's internal workings than has ever been made public before. It's got everything too, a heist, a cover-up and even specific efforts to mislead executives and the court.

Stay tuned for more here, but Uber might really need that Softbank money soon given Waymo's seeking $1.9 billion for this.


Tab Dump™

Facebook's new captcha: your face
This is a straight up dystopian feature: Facebook's testing a feature where you need to upload a selfie of yourself occasionally to unlock your account. It's straight up creepy.

FCC's chairman is just blaming everyone else
Yes, the man who wants to kill the net neutrality bill is now arguing that Twitter is worse than your shitty ISP... because we're totally forced to use Twitter, yes.