All Posts by Date or last 15, 30, 90 or 180 days.
also by Lloyd: diglloyd.com photography and WindInMyFace.com
Thank you for purchasing through links and ads on this site.
OWC / MacSales.com...
diglloyd Deal Finder...
Buy other stuff at Amazon.com...
Upgrade the memory of your 2018 Mac mini up to 64GB
128GB Memory in iMac 5K

Up to 128GB for 2019 iMac 5K!
Up to 64GB for 2015/2017 iMac 5K

Save nearly 50% over Apple pricing

Procedure for Minimizing Risks with a Software Updater that Runs as 'root'

This follows:

Sea Change: Security is Your Job Also, the Writing is on the Wall.

Sony Pictures Hacked: Do You Really Want to Update your Camera Firmware with a Sony Updater that Runs as 'root'?

This discussion actually applies to any software updater, signed or not, for a camera or anything. Because as the Sony fiasco shows, private keys can be stolen.

Even a signed app or updater does not preclude a version modified to contain malware by a hacker who cracks a stolen private key file. And then signs the app so that it looks legitimate*.

  1. Erase a drive, and clone the system to it. (see also How to upgrade your system/boot drive).
  2. Disconnect all drives including the original system drive. Or at least dismount the volumes (sophisticated malware can still infect at the driver level though).
  3. Boot off the clone.
  4. Download the updater, update the camera. Of course, infected firmware could still infect the camera, but the only solution to that is never to update firmware. And even then, really good malware might infect modifiable firmare RAM. Well, it’s all odds.
  5. Disconnect the clone.
  6. Reconnect previous devices, boot up.
  7. Ideally, physically destroy the clone drive (e.g hammer and saw, so to speak). Alternately (and carrying some risk), connect the clone drive (do not boot off it!) then using Disk Utility, erase it, then wipe all blocks (one pass secure erase). SoftRAID 5 also has an even better “Wipe” function.

Obviously if the update is for software you want on your computer, you’re out of luck—in it goes.

You want that software on your system—or do you? It is why MPG installs only absolutely essential software and loathes vendors deliver crapware and automated agents of various kinds. More software means more updates, each of which is a potential vector for compromise.

* That is why it is so critical that a vendor immediately revoke a certificate if there is any suspicion of the private key having been obtained, encrypted or not.

For that matter, a computer containing the private key that signs software should ideally never be connected to the internet. Certainly the private key should not be on a laptop taken for travel. But given reality, the password for the private key should be very long and complex.

Another option — virtualization

Mark A writes with an excellent suggestion of using virtualization via VirtualBox for the temporary bootable system:

I know this is obvious to you, being a software engineer like I am, but your readers may benefit from the understanding that a virtual hard drive can have its changes "rolled back" for free after such a potentially dangerous upgrade and restored to a condition ready for the next one.

Mac OS X is on the official virtualbox list of supported guest OSes. It's just a "normal" EFI-booted Intel OS. I believe Apple changed their license policy for hosting in a VM back in the Lion days.

https://www.virtualbox.org/wiki/Guest_OSes

There's the longer, hackier way ala https://www.robertsetiadi.net/install-os-x-virtualbox/

Or the way you suggest creating a pristine install and where I'd add a last step to clone the raw drive into a dmg image and then to a virtualbox image via https://www.virtualbox.org/manual/ch08.html#idp59618720 so something like

$ VBoxManage convertfromraw NewImage.dmg NewImage.vdi --format VDI

And a young geek's view (the kind my son would probably prefer rather than actually reading instructions) https://www.youtube.com/watch?v=Nod7cpxzxLc


Deals Updated Daily at B&H Photo
B&H Deal ZoneDeals by Brand/Category/Savings
Deals expire in 10 hours unless noted. Certain deals may last longer.
$2797 SAVE $600 = 17.0% $246 FREE ITEMS Nikon Z 7 Mirrorless in Cameras: Mirrorless
$2798 SAVE $400 = 12.0% Sony a7R III Mirrorless in Cameras: Mirrorless
$3498 SAVE $1000 = 22.0% Sony a9 Mirrorless in Cameras: Mirrorless
$898 SAVE $100 = 10.0% $161 FREE ITEMS Sony DSC-RX100 VA in Cameras: Point and Shoot
$1879 SAVE $1071 = 36.0% ZEISS 15mm f/2.8 Distagon T* ZE in Lenses: DSLR

diglloyd.com | Terms of Use | PRIVACY POLICY
Contact | About Lloyd Chambers | Consulting | Photo Tours
Mailing Lists | RSS Feeds | Twitter
Copyright © 2019 diglloyd Inc, all rights reserved.
Display info: __RETINA_INFO_STATUS__