Users of PGP's Whole Disk Encryption for Macs got a nasty surprise when they upgraded to the latest OS X update once they discovered their systems were no longer able to reboot. It seems that Apple and the Symantec-owned PGP suffered a near-fatal failure to communicate that 10.6.5 ships with a new EFI booter that was …
but that's what you get when you play with an OS with small market share. You get d*cked around like this time to time.
WDE can bollox-up Windows Update, too
Ever since PGP Whole Disk Encryption was installed on this Dell laptop, I use at work, I have to handhold Windows Update through its monthly dose of Redmond Medicine. It invariably fails to start, consumes all my RAM trying to, or makes various extravagant claims, such as "Background Intelligent Transfer Service" isn't running (when it is). It then needs to be killed afterwards, by nuking the wauctl.exe from the Task manager before it consumes all of the RAM and disabling both services from the MMC for another month. BITS really should be renamed the "Stupid Overblown SCP Client That Cannot Run In The Background".
I've narrowed it down to a series of utterly incomprehensible Registry hacks containing commands whose names must have been dreamt up by one of those hopeless facerollers in COSD. I've put them all into a BAT file, on my desktop, and double click it before trying to start it up, each time. Even so, Windows 'Automatic' Update, now consumes at least half a morning, every month. I love Windows: it';s just like Linux used to be, in the Old Days.
One thing is true, however. PGP is supposed to protect the data on the laptop, should it get stolen. It certainly does this, because I struggle to use the machine, myself, now, and a thief would have no chance.
Small market share
Rather than being dicked around all the time by an OS with an almost monopoly!
ALL OS, not one
I've consulted for a number of companies using a variety of disk encryption systems. EVERY OS suffers from update nightmares. 30% of the support tickets for workstations in my current firm are related to issues with Sophos after Windows updates are installed. Sometimes it just locks a machine out on its own for little or no conceivable reason, with the only bailout being format the machine and re-install everything.
At lease with OS X, a backout method is easy to accomplish using the PGP recovery disk. That does NOT work for Windows most of the time. Updates to the disk encryption system lag Microsoft Update sometimes by weeks as well.
Go home and learn something, troll.
I've used PGP whole disk on my work laptops (1 dell and two HP) for the last five years, and had no issues with windows updates, BITS or anything whole disk related. This has been on XP, 32 bit Win7 and 64bit Win7.
I'm not saying you're not having issues, I just wonder whether they have anything to do with PGP or not. It simply doesn't interact with BITS. Does everyone else in the office who uses whole disk have this problem? If not it's unlikely to be PGP ...
@ALL OS, not one
OMG! Sophos? Quick get me some Valium and a dark room.
We need a 'horrified' icon please.
Re: ALL OS, not one
> EVERY OS suffers from update nightmares.
OK, thanks for the tip. I'll remember that next time. I seem to have missed the difficulties the last few times I've upgraded...
...but, actually, doesn't El Reg already have one? I believe it's that shot of Janet Leigh from "Psycho" -- it's just not in the standard comment icon collection.
Should be easy enough to do a smaller crop of her face for a "horrified" icon. How about it, gang?
You've obviously never tried to upgrade from Sarge to Etch, then.
I remember that one very well. Ended up with missing libc and klibc (the latter being a bit harder to diagnose and fix, as busybox from emergency shell was able to run md, but the actual md executable from initrd wasn't able to boot - so by mounting my RAID manually at boot I could get it to work, whereas the very same commands put in a script in initrd would silently fail). Spent 2 days on fixing that.
As opposed to...
Being fucked around constantly?
If you have nothing to hide
you have nothing to fear
It Just Works (TM)
But at least their data was safe from any nasty government agents, eh?
It does, Oliver...
As soon as I read the article I thought, "How many replies down will the first 'it just works' post be?" - I was almost expecting it to be #1 - not far off at #3 I suppose.
So no really serious problem then?
So after giving it some serious Mac bashing, we get down to this snippet at the end of the article:
"Fortunately, a fix was provided Thursday morning that's relatively painless. It involves booting off the PGP recovery CD and then logging in to OS X. An automatic self-repair process that's part of the Mac bootup sequence will straighten out things from there."
So apart from some minor inconvenience, this is no real biggy then? Nothing like stirring the fanbois from both sides into a frenzy on a Friday morning!
@The Fuzzy Wotnot
"after giving it some serious Mac bashing"?
Are you for real?
Were you reading the same article that the rest of the world was or have you been spinkling ketamine on your cornflakes again?
There was no Mac bashing in that article. None. Nadda.
What is wrong with you?
Have you ever done this?
It takes hours to encrypt / decrypt the disk. Depending on how many macs you support this is actually a right royal pain in the arse.
Actually, there's more: GPG
Anyone who has GPGmail installed will discover post update that Mail throws it out as a now unsupported plug-in, which leads to the question what has changed so much they had to force incompatibility. You get that %&ç* pain with Firefox too.
Sigh. Just when you thought you left Windows-alike problems behind (having said that, if you install the Adobe PDF reader you're right back into daily updates anyway).
..I awlays decyrpt machines before any OS update, regardless of platform. But then maybe I use just a little common sense..
Really?? Last time I used whole disk encryption (the built in filevault) it took many hours to encrypt, and even longer to decrypt. So a 1 hour OS update turns into an overnight marathon.
That's not half of it (literally)
Decrypt/Encrypt takes around twice as long on my MacBook Pro as on my Thinkpad.
9 hours (each) last time, if memory serves me well
Corp requires encrypting laptops, not that I have anything sensitive on mine.
Time to find an independent solution.
I am incredibly grateful that I found this post before I (unthinkingly) installed the update. That's been my past behaviour. Whew!!!
@ Peter Martin
Regardless of the time it takes to decrypt and then re-encrypt the drives, that is really the proper way to install OS updates.
Not a Surprise
Never buy Symantec malware.
Leaving prejudice aside
PGP WDE predates the Symantec acquisition, and would have broken in this way whether Symantec owned the company or not. The tech hasn't changed.
Or to put it another way, this has nothing whatsoever to do with Symantec.
Serves them right for buying ANYthing from Symantec.
Never heard of Filevault built into Mac OS X??? doh.
Is filevault whole disk encryption? No.
Why not suggest they use some other random product which doesn't do what PGP WDE does?
Never heard of Dreamweaver on Mac OS X??? doh
GPGmail: get the update
The GPGmail update released yesterday will address the problems with the Mail program (which rejects any older versions). Available in the download section of gpgmail.org, version 1.3.1.
Small bricking, not many injured
Well, that's what you get for running mundane 3rd party apps on your magical Jobsbox.
Is this another piece of good software to be messed up by Symantec?
Not bricked then!
The EFI bootloader is in flash. Even if the entire hard disk is no longer
decryptable (probably because the encryption uses the MD5 checksum
or similar of the EFI image to ensure the correct machine) you would still
be able to boot from another (unencrypted) storage device. This in fact
appears to be the easy fix.
So the entire article is huburis. The machines are not in fact bricked. They
are in fact the complete opposite of bricked. They are easily fixable! May
be the reporter doesn't know what bricked means! (Completely unable to
restore the device to a working system *by any means* usually including
"So the entire article is huburis. "
"May be the reporter doesn't know what bricked means! "
Maybe you don't know what "hubris" means.
Time for a classic quote... "You using that word. I do not think it means what you think it means"
It's also mis-spelled!
Is it true
That Apple HQ is actually constructed of bricked Macs and iPhones created during "updates"?
This would never have happened on a Mac.
How many people need WDE?
Really, how many of us need WDE on a laptop/desktop machine? Mac users can protect data by using the built-in FileVault utility, which although not perfect is a whole lot better than allowing any Symantec products near a machine.
These are probably corporate users.
These third party disk encryption systems tend to have useful functionality like allowing a "master" administration password to be set so the company can retain access to the data, or allowing several legitimate users all access the same data on one machine.
I don't think FileVault offers that sort of thing. In addition to that, FileVault creates a virtual container for each user with the option enabled and it disables backups of the files inside the container - you can only backup the container itself and *only* when the user is logged out.
Considering the work Apple puts into the usability of the rest of the OS features (e.g. Time Machine), FileVault is particularly poor.
Depends on your perspective
If you are the IT goon wanting to lord over all, then you want Windows. If you are the user, you want to be able to control what is on YOUR computer, then you want the Mac. And forget about that ridiculous mantra of 'open' and all the BS that purports. With Apple YOU THE USER are the customer, not the IT guy. With Mac, you don't NEED AN IT GUY.
So, we understand how you IT guys feel.
Serves them right for NOT using file vault, and paying extra for using Symantec???? Who made that decision? That is idiotic, and any good Mac user could have told you this. Google it.
EVERYONE needs WDE
FileVault is a half-arsed solution that doesn't work with TimeMachine. It only encrypts the /users directory leaving all the system files and applications unencrypted.
Whole disc encryption means everything is encrypted all the time. No exceptions.
Who needs it; everyone who values their personal information. E.g. everyone. Anyone who carries other people's data around has a duty of care to protect it, for example your address book or email archive, or your client's information.
Laptop computers, particularly the shiny Macs, are prime targets for thieves. Just take a laptop bag into a pub in London and see how quickly it's stolen. WDE with a decent pass phrase and decent (different) logon password will render the laptop's data useless to all but the most determined or security services.
I struggle to understand how people don't get this simple fact.
BTW Symantec only recently bought PGP. There's only one other WDE system for a Mac which is owned by a company that's even less desirable than Symantec. TruCrypt WDE isn't available on the Mac.
Thank you for that hilarious performance art. The worst part is, plenty of people actually swallow that guff. Marketing and ideology, what's the difference?
... except ...
Since your machine no longer boots, how do you get on the internet to
a) find out that other people are having the same problem; and
b) get a hold of the instructions on how to complete the fix.
I can image an awful lot of Fanbois paying a "Genius" for the fix - way to go Apple, keep your consultancy rates up by breaking your software.
Except that seeing the Geniuses is free
And, where possible, the fixes they perform are free. They're one of the reasons that Apple always tops customer service satisfaction polls.
Not sure how likely they are to play the "it's third party software, you deal with it" card though.
...you call apple support. ...and they tell you the answer, since they actually support both the OS and the device its on unlike the competition.
If you failed to make and keep safe a PGP recovery CD, that's your fault for not reading the manual and understanding that is a MUST DO part of keeping the system secure, especially if you needed to do so in a way File Vault could not by itself suffice.
If you were dumb enough to install an OS update while not at home, or in a place you could roll back said recovery (and where you had just backed up immediately before doing the update), then, also, your fault.
OS updates go bad. The updater itself warns you of this possibility, including that you have to be plugged into a power source, not to turn the machine off, have a recent backup, etc. If you installed the update in a coffee shop, no where near your time machine backup or PGP recovery disk, and lost access to your machine, temporarily as a result (its not bricked, it is not in need of hardware replacement due to this, bad author), then I have nothing more to do than laugh at you. If you were in the middle of critical business and chose to do an update? dumb, just dumb.
Always carry a spare
"Since your machine no longer boots, how do you get on the internet to a) find out that other people are having the same problem; and b) get a hold of the instructions on how to complete the fix."
From that spare old Windows or Linux or classic-Mac box over in the corner, kept around for just such purposes.
Not that mom-n-pop Average User would necessarily have such a spare, nor understand why it would be useful, not to mention the fact that they shouldn't *have* to resort to such measures in the first place.
(Works for me though, except in reverse - I keep my old Mac machine as a spare for when I screw up something on my other main non-Mac computer.)
But my little workaround there goes against the premise of the "It Just Works" thing that some Mac users expect - they probably figure they'd left all that stuff behind when/if they switched to Mac from some other OS.
Computers - *any* of 'em - are just not all that reliable, regardless of which OS a person chooses to use.
I think the average home user expects too much from their computers, which isn't helped by various companies' marketing strategies that encourage people to think that computers are dependable trouble-free appliances.
A/C because I just woke up and am probably writing incomprehensible nonsense :)
It sounds like a silly remark on the face of it, but really, you're right on there.
I have my "main" Mac, a hot-rodded dual G4 minitower, the workhorse of the studio; my "road" Mac, a G4 iBook -- and the "emergency" Mac, a twelve-year-old beige desktop G3 -- with the still-functioning scanner of the same vintage hooked up to it -- which used to be the main studio machine but is now the spare. It's only powered up when needed, like when someone sends me art or layouts created in ancient versions of FreeHand, Illustrator or PageMaker, or when I need to scan something. (Yeah, I know, but I'm one of those guys who'd buy a car brand-new and drive it until it fell apart -- back when I still owned a car. I do keep my eye out on USB scanner reviews for when the old Microtek finally dies)
I also use the old G3 as my TV set; it's still got the old ixMicro "Turbo TV" card in it, hooked up to a VCR which, in turn, has a DTV converter box patched into it via RCA line-ins. Works great.
You find out other people are having the same problem by accessing the internet using your shiny iPhone or iPad of course.
Symantec software borks Mac. Well I never. I would not have any of their piles of dog excretia anywhere near my trusty Apple.
How long to de/re crypt a drive?
Encryption of a whole-disc-encrypted hard drive takes ages. It took 7 hours for a 3GHz MBP 17" on a 500Gb 7200RPM drive when I did this a couple of weeks ago after a hard disc failure.
No doubt it's the same to decrypt?
I *have* to run PGP whole-disc-encryption as it's the only one available. Apple only supply a half-arsed solution, FileVault, which DOESN'T work with Time Machine. There's one other company that does WDE, but they're on my list of "I just don't trust them".
Pity -- or maybe just as well -- that TruCrypt doesn't work on the Mac for a bootable full-disc encryption solution.
A HUGE thankyou to TheRegister forum poster "uncertified-dba" who made everyone aware of this yesterday.
There's your problem ...
It took 7 hours for a 3GHz MBP 17" on a 500Gb 7200RPM drive when I did this a couple of weeks ago after a hard disc failure.
Shoulda got the 19", you'd have been done much quicker.
Maybe don't encrypt the operating system partition then
or am I missing the point? I mean, yes, "whole disk", but, um, why?