All Posts by Date or last 15, 30, 90 or 180 days.
also by Lloyd: photography and
Thank you for purchasing through links and ads on this site.
diglloyd Deal Finder...
Buy other stuff at
Get up to 16x more storage and 2x the speeds of the original drive
Handpicked deals...
$2998 $2498
SAVE $500

$1199 $920
SAVE $279

$1999 $1599
SAVE $400

$2799 $2399
SAVE $400

$400 $280
SAVE $120

$1798 $1598
SAVE $200

$3297 $2797
SAVE $500

$3397 $2797
SAVE $600

$1398 $898
SAVE $500

$3698 $2998
SAVE $700

$1799 $1329
SAVE $470

$1999 $1199
SAVE $800

$2249 $1549
SAVE $700

$2399 $2049
SAVE $350

$2799 $1899
SAVE $900

$997 $897
SAVE $100

$2099 $1699
SAVE $400

$1999 $1369
SAVE $630

$1349 $949
SAVE $400

$4499 $3999
SAVE $500

$1499 $1029
SAVE $470

$1499 $1289
SAVE $210

$2199 $1999
SAVE $200

$3399 $2199
SAVE $1200

$2418 $1718
SAVE $700

USB-C Travel Dock

Fast charging with up to 100W!

HDMI, SD card reader,
USB-C port, 2 USB Type-A ports
Built-in cable self-stores neatly.
See also OWC 14-port Thunderbolt 3 Dock"

Procedure for Minimizing Risks with a Software Updater that Runs as 'root'

This follows:

Sea Change: Security is Your Job Also, the Writing is on the Wall.

Sony Pictures Hacked: Do You Really Want to Update your Camera Firmware with a Sony Updater that Runs as 'root'?

This discussion actually applies to any software updater, signed or not, for a camera or anything. Because as the Sony fiasco shows, private keys can be stolen.

Even a signed app or updater does not preclude a version modified to contain malware by a hacker who cracks a stolen private key file. And then signs the app so that it looks legitimate*.

  1. Erase a drive, and clone the system to it. (see also How to upgrade your system/boot drive).
  2. Disconnect all drives including the original system drive. Or at least dismount the volumes (sophisticated malware can still infect at the driver level though).
  3. Boot off the clone.
  4. Download the updater, update the camera. Of course, infected firmware could still infect the camera, but the only solution to that is never to update firmware. And even then, really good malware might infect modifiable firmare RAM. Well, it’s all odds.
  5. Disconnect the clone.
  6. Reconnect previous devices, boot up.
  7. Ideally, physically destroy the clone drive (e.g hammer and saw, so to speak). Alternately (and carrying some risk), connect the clone drive (do not boot off it!) then using Disk Utility, erase it, then wipe all blocks (one pass secure erase). SoftRAID 5 also has an even better “Wipe” function.

Obviously if the update is for software you want on your computer, you’re out of luck—in it goes.

You want that software on your system—or do you? It is why MPG installs only absolutely essential software and loathes vendors deliver crapware and automated agents of various kinds. More software means more updates, each of which is a potential vector for compromise.

* That is why it is so critical that a vendor immediately revoke a certificate if there is any suspicion of the private key having been obtained, encrypted or not.

For that matter, a computer containing the private key that signs software should ideally never be connected to the internet. Certainly the private key should not be on a laptop taken for travel. But given reality, the password for the private key should be very long and complex.

Another option — virtualization

Mark A writes with an excellent suggestion of using virtualization via VirtualBox for the temporary bootable system:

I know this is obvious to you, being a software engineer like I am, but your readers may benefit from the understanding that a virtual hard drive can have its changes "rolled back" for free after such a potentially dangerous upgrade and restored to a condition ready for the next one.

Mac OS X is on the official virtualbox list of supported guest OSes. It's just a "normal" EFI-booted Intel OS. I believe Apple changed their license policy for hosting in a VM back in the Lion days.

There's the longer, hackier way ala

Or the way you suggest creating a pristine install and where I'd add a last step to clone the raw drive into a dmg image and then to a virtualbox image via so something like

$ VBoxManage convertfromraw NewImage.dmg NewImage.vdi --format VDI

And a young geek's view (the kind my son would probably prefer rather than actually reading instructions)

OWC Thunderbolt 3 Dock
Ideal for any Mac with Thunderbolt 3

Dual Thunderbolt 3 ports
Gigabit Ethernet
5K and 4K display support plus Mini Display Port
Analog sound in/out and Optical sound out

Works on any Mac with Thunderbolt 3

Save the tax, we pay you back, instantly!
View all handpicked deals...

Sony Alpha a7R III Mirrorless Digital Camera Body with Accessories Kit
$2998 $2498
SAVE $500 | Terms of Use | PRIVACY POLICY
Contact | About Lloyd Chambers | Consulting | Photo Tours
Mailing Lists | RSS Feeds | Twitter
Copyright © 2019 diglloyd Inc, all rights reserved.
Display info: __RETINA_INFO_STATUS__