Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

That is quite the opposite for almost all the Mac users I know. They don't like the fact that FireFox is slower than Safari, and in just does not work as well. As a web developer I have all the major browsers for Mac OS X installed, and I sometimes use Camino if a website does not fully support Safari (goddamn you eCollege).

Chris and Deviant; I guess I have been lucky. I have not had any problems with Apple what so ever. I have had hardware failures, they have been resolved quickly and in the appropriate manner by Apple, with an apology from the manager and a hefty discount on my Apple Care Pro, and a free keyboard.

I am interested to hear the experiences you guys have had with Apple, was there a thread here on the forums about it?

Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

Hmm, that's odd, I found a different version.

Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

I can't remember if I posted the full details on here or not (probably did) but since I love getting on my fuck apple soapbox I will summarize....this is long so grab a drink (or hit page down a couple of times if you aren't interested).

I got a Powerbook in 2005 for a project I was working on.

http://www.amazon.com/OS-Hackers-Hea...6988227&sr=8-1

The FIRST one I got shipped with a faulty connection for the power supply. I called the store they said bring it in and we'll replace it. I boxed it up and drove the 45 minutes to the nearest Crapple store only to have the genius (tm) there tell me that they couldn't exchange my BRAND NEW FAULTY Powerbook for a new one but that they would have to send it in for service. I basically flipped the fuck out on them in the store until they agreed to exchange it for a new one. They also suckered me into buying AppleCare at the time of the exchange....big mistake. More on that later.

About one month later (and I am working from memory here so my dates may not be exactly spot on but suffice it to say it was more than two weeks and less than 3 months) when ejecting a PCMCIA card from the Macintrash the Eject lever spring broke and the Eject lever was stuck in the out position...this is where the fun started for realz yo.

I called Apple and explained the problem. They told me I had to send it in for service. Now..first and foremost this is bullshit. After paying the ridiculous price of Apple Care to extend the warranty they shouldn't deprive you of your laptop for 2-5 days for such a minor repair. They should do it in store at a minimum if not in home...but I digress. Then the tech on the phone told me that in order to get service ON MY PCMCIA EJECT LEVER they needed the Admin account password on my system. I told them no. They said yes. I said no. They said yes. I said why. They said because blah blah blah.

In the end I told them to send the box but that I wouldn't provide the Admin PW. I had about a day before the box arrived so I backed up the HD (which by the way you can't remove or you void your warranty and Apple Care) and wiped it. then rebuilt the computer to a fresh install and turned on full logging, set the Admin PW, enabled the root account and set a PW and did nothing else. When the box arrived I shipped the PB back with a letter stating that I would not provide them with the admin PW and that I did not consent to them accessing, modifying, copying or distributing the operating system or any data contained on the system.

I got the system back 2 days later (I will give them this, that is ridiculously fast turnaround for mail in service) and fired it up. The first and most telling thing I noticed was that the desktop background had been changed. I checked the logs and determined how they had accessed the system (target mode, copy pw file out, replace with new, do what they wanted, replace pw file with original (let's not get snippy over the technical details of pw file here, you know what I mean)). I also determined that despite my specific objection in writing they had accessed my account not once, not twice but three times...to diagnose a busted eject lever? wtf?

Ok..since this is already getting long and I am not even half done and Cot is probably going to split this off into it's own thread anyway (probably in /dev/null) I'll summarize the next part real fast. I called them and asked two questions. Why'd you access my drive. How did you access my drive. Answers: Because we wanted to. We won't divulge that info. After significant back and forth with 3 levels of tech support I asked the question again HOW did you do it (even though I knew the answer I wanted them to tell me) to which the third tier tech responded "We make the hardware and the software. If we want to get to your data we can." I then asked "Are you saying that Apple has a back door built into OS X?" He responded, and I shit you not "I can neither confirm nor deny that."

At this point I had already pretty much written Apple off. But I decided to do a little research on things. I grabbed my Apple Care TOS and noticed that at the end there is a little clause that says something to the effect of 'This agreement is superceded by the TOS at Apple.com.' So I grabbed that:
http://images.apple.com/legal/applec...Plan_NA_en.pdf

I immediately noticed that it was completely different from the terms and conditions included in the Apple Care box. Specifically, section 7f was not included on my paper but was on this one. Section 7f reads:

"f. You agree that any information or data disclosed to Apple under this Plan is not confidential or proprietary to you. Furthermore, you agree that Apple may collect and process data on your behalf when it provides service. This may include transferring your data to affiliated companies or service providers located in countries where data protection laws may be less comprehensive than your country of residence, including but not limited to Australia, Canada, countries of the European Union, India, Japan, the People’s Republic of China and the U.S."

Ok. So let me get this straight. In order not to void my warranty I can't remove my hard drive. But to get service I have to consent to Apple collecting and processing my data. I also have to agree for them to send said data to any number of countries including fucking China? Give me a fucking break. Apple can suck by cock. It's a shit company with shit hardware, shit policies and shit fanboys. Fuck em in their fucking asses.

Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

Wow dude, don't hold your emotions back like that, it's not healthy. Though I think I said something to that effect when this all happened and you were talking about it over at the stumbler forums. I'd forgotten about the password thing. That is crap though. I've never had that kind of problem with them, though I do all my own warrantee repair on my stuff, not that any of it really has one any more... I wonder if they have a way of breaking into file vault accounts?

Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

This is where I have a disconnect with a lot of people. I don't deny that you have had positive experiences with them. I don't say that it is impossible to have positive experiences with them. What I don't understand is how folks can knowingly support a company that not only does a blatant bait and switch on the warranty product but flat out TELLS you they have the right to do whatever the fuck they want with your data.

Now, riddle me this. I am a penetration tester. I routinely take a mobile computer and attach it to a site network. Now, suppose I am in the middle of a pen test (insert whatever you want here...vulnerability scan, application test, code review, etc) and I have some sort of catastrophic hardware failure that has nothing to do with the hard drive. As I see it I now have three unacceptable options.

1. Pull the hard drive and pay Apple to service a product that should be under warranty.
2. Pull the hard drive and toss the system and buy a new one and transfer the data.
3. Send them my clients vulnerability information to include mapping specific vulnerabilities to specific IP addresses.

Of the 3 obviously the third one is the MOST unacceptable, but as far as I am concerned they are all unacceptable and rule apple out as a serious choice for anyone that does any kind of work where they will at any time store proprietary customer data on their systems. Now...I know there are a gazillion workarounds for this so let's not get into semantics. I shouldn't have to perform a work around if I am doing a penetration test at a US Government site to ensure that Apple doesn't send their vulnerability data to China.

Re: CanSecWest hacking contest UPDATE (How did your OS fair?)


You have a very good point there. Though to be honest, who says Dell, Gateway, Lenovo, Hp, or Sony, doesn't do the same thing? I'm not defending Apple, some of the shit I've seen them do is pretty shady, but I've seen the other guys do the same thing. In your line of work I wouldn't trust a drive to any of them. It's too bad the only Mac that's relatively easy for the end user to pull the drive is the new MacBooks. Three screws to remove the ram cover in the battery bay and the drive slides right out. They're sata, so no adapters other than the positioning screws on the sides. The powerbook you had took about 11 screws to pull. Most of the Dell's I've worked on only take a few.

Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

I am to say they don't. Because if I pull the hard drive out of a Dell, Gateway, etc. and send the system in for repair it doesn't void the warranty. Therefore they can never get my data and can never process, store, copy or transmit it. Additionally with Dell, they'll either just send me the part I need or send a tech to me. I don't have to ever let the system out of my sight/control.

Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

I have generally had excellent experience with Dell and their warranty support. I've had Dell 'techs' out on several occasions and only had issues with one. Most parts I can get them to just send to me for installation, except they will not when replacing motherboards or CPU's. Everything else they won't send a tech if I ask them not to.

Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

Pulling the drive wouldn't have voided it any way. They even show you how...

http://docs.info.apple.com/article.html?artnum=111925

Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

I believe we had this exact same argument 3 years ago. Call Apple. Yes, it voids the warranty. Just because they show you how to take it out does not mean that doing so won't void the warranty.

Honestly dude, google 'void powerbook warranty' and look at the number of people that have had hard drives replaced at an APPLE STORE only to then be told later by Apple Corporate that the Geniuses aren't APple Certified Technicians and therefore they have voided their warranty.

Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

The biggest issue i had in the past with Dell tech support was that (at least for a while) they packaged their laptops with some diagnostics disc and would refuse to accept anything for repairs until the "disc was run and the error codes were read"

This would be the case even if, of course, you had some minor physical defect with the case, latches, or some other external bit of plastic (like Chris did with his Apple). I'd be on the phone with some tech, describing how a user at my company bent the shit out of his modem jack prongs by trying to smash an RJ45 plug into the RJ11 socket... and the guy would be insisting that I had to run the CD and tell me the error codes which of course it wasn't going to display. That pissed me off to no end... i mean, we had a business account at that company and they were speaking to a corporate IT shop. We could assess that sort of situation ourselves rather effectively.

(Heh, by the way... in the end the solution I came up with to address that nonsense was to just say that the laptop "failed to boot" or had a "bad CD-ROM drive" on every goddamn service call. I'd then get the laptop back in the mail a week later with a note saying "repaired modem jack... CD-ROM tested ok and was not replaced" or some such.)

Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

<sorry for the hijack>
This is how I get past the 1st Level Techs, even though I might be calling for a video card or something else, I just tell them the disc they provided won't boot for some reason and that I'm not calling for that. Usually I can bully the tech into kicking me up to a 2nd Level Tech or just shipping out the part. I know that lots of people have grudges against Dells, but having experienced 'Warranty Support' for the other major vendors, no one can beat their Complete Care/Platinum Level support.
</end hijack>

Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

Reasons to dislike Apple.... Humm. Well I guess for one, I need an Apple store nearby to drive to for my hardware and software solutions. I already know the hardware is expensive and since Apple software does not seem to be open source I’d guess that’s pretty damn expensive too. Oh that’s right I forgot about Bootcamp. Gotta buy that too so I can run Win OS wares that are also vulnerable to malware. Well that keeps my Apple software costs down but now I need to buy security for both my Apple and Windows partitions. I think I’ll just stick with Linux.

I have a 58 yo friend who's a Priest and has used Apple’s since college. Apparently he has established a false sense of security since he’s been an Apple owner believing simply that he needs no firewall, anti-virus, anti-spyware, or root-kit add-on solutions. This false sense of security came from his friends and their friends as well as Apple that Apple is a secure OS and is not vulnerable to Windows perils. I have sent my friend reports from late last year that Apple was the #1 target in the sights of all those who would exploit it. He would rather believe his Apple friends even now that he needs no security solutions.

I have even expressed to my friend that even though he is a dial-up customer he can still become infected and pass that on to others through email, file sharing, and risky browsing habits. He does not care that he could infect or cause harm to others unintentionally and persists in laxidaisical security behavior.

I have my own reasons to spite Apple, and even Apple customers who think they are impervious to the Internet. Frankly, I am saddened that for the last year Apple has been such an easy target with their own browser and OS flaws, however, it may take an Apple security epidemic before all Apple customers finally figure out they’ve joined the rest of us.

BTW, I have no problems with Firefox. I’m a beta tester for Mozilla. I have the added advantage of being a moving target with respect to would be attackers that have yet to write an exploit for a yet to be publically released browser.

Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

No right or wrongs here just some possible explanations: IMHO so please don't bite my head off.

No company will take responsibility for your data or programs. It's as simple as that, not Dell, HP, Apple, IBM ...etc. I hope we are all adult enough to see the legal reasons for that. Their responsibility is to repair the device not to ensure the coherency and or privacy of your data. One mans data is another's garbage. Every company I've personally dealt with has had a policy of, send your device in for repair; back it up first or kiss your data goodbye. Could you imagine if they had to be responsible for your data, oh you erased my stick figure of the Monalisa valued at $1,000,000.00 I'm suing you, or you erased the only picture of my long lost dead poodle where's my lawyer.

If you are doing pen testing or any type of work on a customers network, you are bound and solely responsible & liable for the data that you have no doubt signed a NDA to protect. So sending that laptop out for repair to anyone you are in violation of the NDA and should by all means wipe your drive and not expect the manufacturer to protect it. I can be pretty certain that the NDA specifically states that you cannot extend that agreement to anyone and specifically covers things like equipment failures and what do to in the event.

As far as Chris's experience if it was purchased over the web, service is generally delivered via shipping the product back and forth. I would imagine if you had purchased it from a store; an Apple reseller/service center that they would have honored the sale to you and possibly replaced / repaired it on the spot. Again and just to be clear this would only happen at the point of purchase not another Apple reseller across town or country. Apple has a fairly tight distribution channel and typically you have to have a store front to be Apple reseller with so many certified Apple Techs on premise in order to get the dealership and maintain it. Web super stores don't count.

Lets look at Apple's typical customer profile. Most people who use them don't have any tolerance for errors, error messages, and for a large part are either super power users, or mostly absolute computer neophytes. People who are at best mechanically challenged. People who never open up the Unix Shell or know what BSD stands for. Given that I can see why you would void your warranty opening it up as Apple is unfamiliar with your computer experience.

I've upgradeable all of my Dell laptops, including processor and video cards and never ever had a problem getting service or have a tech tell me that I've voided my warranty due to serious upgrades. I've even sent them back to Dell with an upgraded non-factory installed cpu and got the unit back repaired and under warranty.

Keep in mind I'm not talking about converting something like a Dell E1705 to an XPS by removing a single fan video card, to replace it with a dual fan video card which requires case modification just to be clear.

I believe PC manufacturers expect failures and the equipment is designed to be repaired by any computer technician. Sort of like your brakes for your car. Brakes by design are made to be repaired by anyone.

Apples aren't expected to have the same problems as a PC, and are therefore not designed to be repaired by anyone except the factory or the dealer.

I've never owned an Apple laptop but I do own a G5 workstation/server. It has got to be by far the easiest computers I've ever opened. Everything is modular and pluggable from the fans to the memory.

Again I state this in the spirit of discussion and debate and by no means intend to offend anyone so don't bite my head off please. :-) I can live with Die Painfully XOR you are full of shit. But anything more than that will offend my delicate sensibilities and virgin eyes.

xor

Requirements and Benefits

Apple authorizes, solely at its discretion, those organizations that provide service on selected Apple products.

Requirements

Baseline authorization requirements for all prospective service provider organizations follow:

* Organization has been in operation for a minimum of 2 years
* Organization has an established credit line of at least $25,000 (or local equivalent)
* Organization maintains a professional walk-in service location with sufficient personnel
* All technicians performing Apple repairs must be Apple-certified
* Organization actively promotes, recommends and sells AppleCare service and support products
* Each service location maintains baseline performance levels for two months out of each Apple fiscal quarter

Here is the Apple Dealer Return Policy Currently for a given Macbook part number, Granted it my have changed over the years. So yes the dealer tried to F you Chris.

Days to Return Defective: 30
Days to Return Factory Sealed: 30
Days to Return Open/Non Def: 30
Returnable Item: Yes
Vendor Phone #: (512) 674-2513
Vendor PreAuth Required: No
Serialized: Yes SE
Approval Required: No

Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

Clearly they do not know about Firefox 3 beta 4.