Archive for April 19, 2016

Tuesday, April 19, 2016

Two-Factor Authentication List

Two Factor Auth (via Adam Chandler):

List of websites and whether or not they support 2FA.

“Use iCloud Password” Mac Login Option Removed

Rich Trouton:

Starting in OS X Yosemite, Apple introduced a new option to log into your Mac using the password associated with an Apple ID. As of OS X 10.11.4, this option seems to have been removed from the Users & Groups preference pane in System Preferences.

Keri Thomas:

Curiouser and curiouser. Has Apple removed the option for security reasons? Is there a bug? Why is Apple always so damned secretive?

What’s Wrong With Twitter

Jeff Johnson:

When I rejoined Twitter, I already knew who to follow, because I had people I followed during my previous stint. For completely new users, however, the first hurdle is figuring out who to follow. Twitter unhelpfully suggests celebrities. These suggestions are self-defeating, because celebrities are almost guaranteed to ignore you. They have way more followers than they can respond to personally. So you can follow celebrity accounts, tweet to the celebrity accounts, and ... nothing. That gets old quickly. You can try to “personalize” your experience by telling Twitter your interests, but the categories are so broad (e.g., Music) that you end up with more celebrity accounts anyway. And you can upload your contacts to Twitter in order to discover your contacts on Twitter, but what if you don’t want to provide your address book to Twitter? And while uploading your contacts may be a good way of finding people you already know on Twitter, it’s not necessarily a good way of finding people you don’t know. What if you’re interested in, say, Mac programming, and you’re new and unknown in the field, so you don’t have any existing contacts? Indeed, what if you’re signing up for Twitter in order to meet other people in your field? Good luck with that.

Git Remote Code Execution Bug

The current Git version is 2.8.1. Xcode 7.3 comes with Git 2.6.4.

Rachel Kroll (via Hacker News):

git 2.6.4. Is anything wrong with that? Well, yeah, actually. Say hello to CVE-2016-2324 and CVE-2016-2315, present in everything before 2.7.1 according to the report. You should check this out.

Remote. Code. Execution.


Apple is doing something new which basically keeps you from twiddling certain system-level programs without going to fantastic lengths. Not even root is enough to do it. In short, you can’t just replace /usr/bin/git.


Companies like Apple and Microsoft prevent you from modifying the software installed on your computer to improve your security.

Ironically, when they do that, they also make it difficult, impractical, or impossible for you to upgrade or disable vulnerable software (in this case, an old, insecure version of git with remote-code-execution vulnerability).


/usr/bin/git is a “toolshim” that effectively calls “xcrun git” (it actually calls xcselect_invoke_xcrun, from /usr/lib/libxcselect.dylib, if you really want the details - this can be found by inspecting the binary). xcode-select’s manpage tells you that these shims call the respective binary in the active developer directory, whereas xcrun’s manpage describes its capabilities in more detail.


Imagine that you are a corp IT and managing a fleet of developers with Macs. You can push a newer version of git to them, and you can even change their default PATH so that the version of git you pushed are before the git comes with Apple. But you still cannot remove the one comes with Apple, and you cannot prevent it from being used.

Update (2016-05-06): The updated version of Git is finally in the release notes for Xcode 7.3.1 (Hacker News).