[Spooky23]

I feel bad for the engineers, but seriously screw Apple on this. They have an overcomplicated setup with little internal Kerberos implementations on every Mac to make peer to peer networking easier.

If it’s like everything else, it’s probably ancient and crufty. The dude who wrote it probably cashed out years ago. Some engineer rushed through and made the original worst-case-scenario error, and the guys cleaning up the mess made this error, which is understandable given the severity of the problem.

For a company like Apple that prints money, it’s irresponsible and reflective of a broken engineering process. Personally I’m angry about this because on iOS, we’re 100% dependent on their engineering process to protect my customer’s data. Hopefully that trust is well placed.

If they don’t want to maintain Macs, don’t make them.

[szc]

I designed and implemented quite lot of the LocalKDC mechanism - um, roughly about 11-12 years ago now I think. At the time it was based on the MIT version of Kerberos. When Apple switched to using Heimdal, the LocalKDC implementation was updated and it has been maintained since then - I am no longer the maintainer of this software. I haven't cashed out.

As to why the LocalKDC exists? How can you do secure peer-to-peer authentication without relying on some sort of global (and broken) or private PKI infrastructure? SRP wasn't an option at the time.

I am sorry you are upset. Apple is really, really serious about protecting customer data. I encourage the reading of the Apple iOS Security Guide - it describes hardware and software techniques used to protect your data. There is also the 2016 Blackhat presentation by Ivan Krstic that gives more insight into the Secure Enclave.

[Spooky23]

Thanks for replying. Sorry if I was throwing too much vitriol and no personal affront was intended.

I had a real bad day yesterday... my customers were freaking out about this particular issue. I recall doing some enterprise Mac rollouts back in the Tiger days and you'd see alot of changes as support for things like AD evolved.

Apple has really good communications and documentation around iOS, which comes through in the iOS Security Guide, which is probably one of the best examples of that type of documentation. That hasn't been the case with MacOS, and its mysterious evolution, which feels pretty capricious from a customer POV at times. End of the day, I get paid to turn money + labor into answers to business problems -- Mac has turned into a wildcard for me, which saddens me as I love the platform.

[LoSboccacc]

> Apple iOS Security Guide

that goes perfectly with the trending feeling that iOS gets all the love while OSX sits on the back burner.

[szc]

I personally see that the mac is getting lots and lots of love! Not my place to say more than that.

I pointed to this resource due to the concern expressed about iOS.

[digi_owl]

It seems that whenever one attempts to make something easier on the surface, the complexities underneath expand cubically.