HackerTrans
TopNewTrendsCommentsPastAskShowJobs

nmgycombinator

no profile record

Submissions

[untitled]

1 points·by nmgycombinator·9 เดือนที่ผ่านมา·0 comments

[untitled]

1 points·by nmgycombinator·9 เดือนที่ผ่านมา·0 comments

CVE-2025-43253: Bypassing Launch Constraints on macOS

wts.dev
2 points·by nmgycombinator·12 เดือนที่ผ่านมา·0 comments

Can you trust that permission pop-up on macOS?

wts.dev
377 points·by nmgycombinator·ปีที่แล้ว·251 comments

CVE-2025-24259: Leaking Bookmarks on macOS

wts.dev
17 points·by nmgycombinator·ปีที่แล้ว·4 comments

Leaking Passwords and more on macOS

wts.dev
325 points·by nmgycombinator·ปีที่แล้ว·62 comments

comments

nmgycombinator
·ปีที่แล้ว·discuss
> The primary outcome appears to be increased profit margins rather than societal advancement. While previous technological revolutions created new industries and democratized access, AI seems focused on optimizing existing processes without providing comparable societal benefits.

This is the thing that worries me the most about AI.

The author's ramblings dovetails with this a bit in their "but the craft" section. They vaguely attack the idea of code-golfing and focusing on coding for the craft as essentially incompatible with the corporate model of programming work. And perhaps they're right. If they are, though, this AI wave/hype being mostly about process-streamlining and such seems to be a distillation of that fact.
nmgycombinator
·ปีที่แล้ว·discuss
Edit made: Ventura and Sonoma will remain vulnerable. Apple made the decision to only patch this in Sequoia.
nmgycombinator
·ปีที่แล้ว·discuss
I mean, I don't know how there would be? Unless they were scanning the text of every pop-up for words convincing the user to enter their computer password. There would be no way to determine intention without some sort of language analysis.
nmgycombinator
·ปีที่แล้ว·discuss
I agree with you. However, in this case, I was abusing a legitimate OS prompt (not just making my own), so I don't know if a security image would be a barrier there. It would definitely be one for instances where malicious apps make their own pop-ups.
nmgycombinator
·ปีที่แล้ว·discuss
That's a fair point. But did Mac have the same issue as Windows where file extensions were not shown by default? That feels like it would have been the core issue.
nmgycombinator
·ปีที่แล้ว·discuss
I mean, as others have mentioned, actually true capabilities would be nice. But as long as we're going to have a database, it would have to end up in user space or in the kernel. And I'm not sure how much I like either option.
nmgycombinator
·ปีที่แล้ว·discuss
Ooh! Thanks for the links!
nmgycombinator
·ปีที่แล้ว·discuss
I think Apple uses an L4 variant for their SEP co-processor, though I'm not sure if it's that specific one. Sounds like another OS I'll probably have to do a deep dive into at some point.
nmgycombinator
·ปีที่แล้ว·discuss
Damn, that really puts things into perspective. Granted, attached modals presuppose there's a window to attach to. But I think that would probably be true 9 times out of 10.
nmgycombinator
·ปีที่แล้ว·discuss
I do agree that uninstallation can be hard on macOS. I think Apple just envisions a future where every app is self-contained and putting the app in the trash really does remove everything because it was all in there.

Maybe that's not realistic, though.

I still think there's something to be said about an installation/uninstallation process that relies purely on moving files around, no custom script execution.
nmgycombinator
·ปีที่แล้ว·discuss
I will definitely admit, it can be a bit of a pain point that Apple sometimes takes a lot of time to determine a bounty. I'm just waiting patiently now to see what they say. I appreciate your kind words and encouragement.
nmgycombinator
·ปีที่แล้ว·discuss
I think their "Hall of Fame" (or at least whatever people colloquially refer to as that) is their credits for people who found bugs in their web servers, so I don't think that counts here. I did get credited, so I'm happy about that. Now I just have to wait and see if they determine it's worth a reward (and, if so, how much).
nmgycombinator
·ปีที่แล้ว·discuss
Correction (longer explanation elsewhere): only 15.5. Apple didn't patch it in the other two releases.
nmgycombinator
·ปีที่แล้ว·discuss
Yeah, to be perfectly honest, I understand. I think TCC is meant to be the primary consent system, but there are others (such as the Authorization system, and the Service Management framework).
nmgycombinator
·ปีที่แล้ว·discuss
As someone who dove deep into keychain items for a previous write-up, I believe you are misunderstanding this situation. As far as I understand it, many keychain items can be stored in your iCloud keychain. However, your local machine can have its own keychain that's different than the iCloud keychain, with items that are not sent to iCloud.

And besides all that, to my knowledge your local machine password (the password you use to login) isn't stored in a keychain item, so there's no way it could make itself into the iCloud keychain, or your local keychain.

You may be mistaking some explanations. Your computer password is used to unlock your local keychain, but it itself is not stored in your keychain. Your local keychain is also not your iCloud keychain, it's not stored in iCloud.

Again, I'm not an Apple developer, so there may be stuff I don't know, but I am a developer in general and I have researched this. The above is my current understanding.
nmgycombinator
·ปีที่แล้ว·discuss
That's honestly a pretty smart move.
nmgycombinator
·ปีที่แล้ว·discuss
Hijacking this current top comment to let everyone know there is an important update to this article: https://news.ycombinator.com/item?id=43969087
nmgycombinator
·ปีที่แล้ว·discuss
Oh nice! I'll take a look at these.
nmgycombinator
·ปีที่แล้ว·discuss
An important correction, so hopefully this bubbles to the top (this will be appearing on the post as well):

A previous version of this article mentioned below that this CVE was patched in macOS Sequoia 15.5 et al., but I was a bit mistaken in that. Despite being released today as well, it appears that macOS Ventura 13.7.6 and macOS Sonoma 14.7.6 are not patched against this vulnerability.

I wrote that sentence assuming that Apple would have included a patch in all of the releases. It was only later, when I checked the security release notes, that I saw I was not credited under the other two releases. I reached out to Apple to clarify if these releases were patched. As of writing, I have not heard back.

I chose to do my own testing and spun up a virtual machine. After some difficulties I got it updated to macOS Sonoma 14.7.6 and was able to compile and run my proof of concept. It still worked. I would assume the same is true for macOS Ventura 13.7.6. I'm not sure why Apple didn't include the patch in these two releases.

I will update the post when I have more information and/or context.
nmgycombinator
·ปีที่แล้ว·discuss
Thank you for your kind words. To respond: 1. I'm not a "he", I would prefer "they". 2. As I mentioned in another comment, I have not received word back yet on any reward.