back to article Fanbois howl as OS X update bricks PGPed Macs

Users of PGP's Whole Disk Encryption for Macs got a nasty surprise when they upgraded to the latest OS X update once they discovered their systems were no longer able to reboot. It seems that Apple and the Symantec-owned PGP suffered a near-fatal failure to communicate that 10.6.5 ships with a new EFI booter that was …

COMMENTS

This topic is closed for new posts.
  1. Mike OReilly

    Sorry

    but that's what you get when you play with an OS with small market share. You get d*cked around like this time to time.

    1. Cyberspice
      Happy

      Small market share

      Rather than being dicked around all the time by an OS with an almost monopoly!

    2. Daniel 1

      WDE can bollox-up Windows Update, too

      Ever since PGP Whole Disk Encryption was installed on this Dell laptop, I use at work, I have to handhold Windows Update through its monthly dose of Redmond Medicine. It invariably fails to start, consumes all my RAM trying to, or makes various extravagant claims, such as "Background Intelligent Transfer Service" isn't running (when it is). It then needs to be killed afterwards, by nuking the wauctl.exe from the Task manager before it consumes all of the RAM and disabling both services from the MMC for another month. BITS really should be renamed the "Stupid Overblown SCP Client That Cannot Run In The Background".

      I've narrowed it down to a series of utterly incomprehensible Registry hacks containing commands whose names must have been dreamt up by one of those hopeless facerollers in COSD. I've put them all into a BAT file, on my desktop, and double click it before trying to start it up, each time. Even so, Windows 'Automatic' Update, now consumes at least half a morning, every month. I love Windows: it';s just like Linux used to be, in the Old Days.

      One thing is true, however. PGP is supposed to protect the data on the laptop, should it get stolen. It certainly does this, because I struggle to use the machine, myself, now, and a thief would have no chance.

      1. Anonymous Coward
        Pint

        PGP WDE

        I've used PGP whole disk on my work laptops (1 dell and two HP) for the last five years, and had no issues with windows updates, BITS or anything whole disk related. This has been on XP, 32 bit Win7 and 64bit Win7.

        I'm not saying you're not having issues, I just wonder whether they have anything to do with PGP or not. It simply doesn't interact with BITS. Does everyone else in the office who uses whole disk have this problem? If not it's unlikely to be PGP ...

    3. Michael C
      FAIL

      ALL OS, not one

      I've consulted for a number of companies using a variety of disk encryption systems. EVERY OS suffers from update nightmares. 30% of the support tickets for workstations in my current firm are related to issues with Sophos after Windows updates are installed. Sometimes it just locks a machine out on its own for little or no conceivable reason, with the only bailout being format the machine and re-install everything.

      At lease with OS X, a backout method is easy to accomplish using the PGP recovery disk. That does NOT work for Windows most of the time. Updates to the disk encryption system lag Microsoft Update sometimes by weeks as well.

      Go home and learn something, troll.

      1. Kool-Aid drinker
        Alert

        @ALL OS, not one

        OMG! Sophos? Quick get me some Valium and a dark room.

        We need a 'horrified' icon please.

        1. Mike Flugennock

          agreed...

          ...but, actually, doesn't El Reg already have one? I believe it's that shot of Janet Leigh from "Psycho" -- it's just not in the standard comment icon collection.

          Should be easy enough to do a smaller crop of her face for a "horrified" icon. How about it, gang?

      2. Vic

        Re: ALL OS, not one

        > EVERY OS suffers from update nightmares.

        They do?

        OK, thanks for the tip. I'll remember that next time. I seem to have missed the difficulties the last few times I've upgraded...

        Vic.

        1. A J Stiles
          Linux

          Hmm

          You've obviously never tried to upgrade from Sarge to Etch, then.

          1. Pawel 1
            Linux

            Oh yeaah

            I remember that one very well. Ended up with missing libc and klibc (the latter being a bit harder to diagnose and fix, as busybox from emergency shell was able to run md, but the actual md executable from initrd wasn't able to boot - so by mounting my RAID manually at boot I could get it to work, whereas the very same commands put in a script in initrd would silently fail). Spent 2 days on fixing that.

    4. N2

      As opposed to...

      Being fucked around constantly?

  2. Fred Flintstone Gold badge

    Actually, there's more: GPG

    Anyone who has GPGmail installed will discover post update that Mail throws it out as a now unsupported plug-in, which leads to the question what has changed so much they had to force incompatibility. You get that %&ç* pain with Firefox too.

    Sigh. Just when you thought you left Windows-alike problems behind (having said that, if you install the Adobe PDF reader you're right back into daily updates anyway).

  3. Fred Flintstone Gold badge

    GPGmail: get the update

    The GPGmail update released yesterday will address the problems with the Mail program (which rejects any older versions). Available in the download section of gpgmail.org, version 1.3.1.

  4. MacRat
    FAIL

    Not a Surprise

    Never buy Symantec malware.

    1. Anonymous Coward
      Anonymous Coward

      Leaving prejudice aside

      PGP WDE predates the Symantec acquisition, and would have broken in this way whether Symantec owned the company or not. The tech hasn't changed.

      Or to put it another way, this has nothing whatsoever to do with Symantec.

  5. MnM
    IT Angle

    If you have nothing to hide

    you have nothing to fear

  6. Ty
    Jobs Halo

    ummmm

    Serves them right for buying ANYthing from Symantec.

    Never heard of Filevault built into Mac OS X??? doh.

    1. Anonymous Coward
      Pint

      Hmm

      Is filevault whole disk encryption? No.

      Why not suggest they use some other random product which doesn't do what PGP WDE does?

      Never heard of Dreamweaver on Mac OS X??? doh

  7. The Fuzzy Wotnot
    Happy

    So no really serious problem then?

    So after giving it some serious Mac bashing, we get down to this snippet at the end of the article:

    "Fortunately, a fix was provided Thursday morning that's relatively painless. It involves booting off the PGP recovery CD and then logging in to OS X. An automatic self-repair process that's part of the Mac bootup sequence will straighten out things from there."

    So apart from some minor inconvenience, this is no real biggy then? Nothing like stirring the fanbois from both sides into a frenzy on a Friday morning!

    1. Alex Rose

      @The Fuzzy Wotnot

      "after giving it some serious Mac bashing"?

      Are you for real?

      Were you reading the same article that the rest of the world was or have you been spinkling ketamine on your cornflakes again?

      There was no Mac bashing in that article. None. Nadda.

      What is wrong with you?

    2. Anonymous Coward
      Anonymous Coward

      Have you ever done this?

      It takes hours to encrypt / decrypt the disk. Depending on how many macs you support this is actually a right royal pain in the arse.

  8. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      It does, Oliver...

      PGP doesn't...

    2. CD001

      As soon...

      As soon as I read the article I thought, "How many replies down will the first 'it just works' post be?" - I was almost expecting it to be #1 - not far off at #3 I suppose.

  9. Anonymous Coward
    Anonymous Coward

    Errr...

    ..I awlays decyrpt machines before any OS update, regardless of platform. But then maybe I use just a little common sense..

    1. Peter Martin

      re errr

      Really?? Last time I used whole disk encryption (the built in filevault) it took many hours to encrypt, and even longer to decrypt. So a 1 hour OS update turns into an overnight marathon.

      1. John Herz
        Megaphone

        Ay Caramba

        That's not half of it (literally)

        Decrypt/Encrypt takes around twice as long on my MacBook Pro as on my Thinkpad.

        9 hours (each) last time, if memory serves me well

        Corp requires encrypting laptops, not that I have anything sensitive on mine.

        Time to find an independent solution.

        I am incredibly grateful that I found this post before I (unthinkingly) installed the update. That's been my past behaviour. Whew!!!

      2. Zippy the Pinhead
        FAIL

        @ Peter Martin

        Regardless of the time it takes to decrypt and then re-encrypt the drives, that is really the proper way to install OS updates.

  10. Cyberspice
    FAIL

    Not bricked then!

    The EFI bootloader is in flash. Even if the entire hard disk is no longer

    decryptable (probably because the encryption uses the MD5 checksum

    or similar of the EFI image to ensure the correct machine) you would still

    be able to boot from another (unencrypted) storage device. This in fact

    appears to be the easy fix.

    So the entire article is huburis. The machines are not in fact bricked. They

    are in fact the complete opposite of bricked. They are easily fixable! May

    be the reporter doesn't know what bricked means! (Completely unable to

    restore the device to a working system *by any means* usually including

    hardware programmers).

    1. teacake

      @cyberspice

      "So the entire article is huburis. "

      "May be the reporter doesn't know what bricked means! "

      Maybe you don't know what "hubris" means.

    2. Anonymous Coward
      FAIL

      Huburis??

      Time for a classic quote... "You using that word. I do not think it means what you think it means"

      It's also mis-spelled!

  11. N2

    PGP

    Is this another piece of good software to be messed up by Symantec?

  12. Rogerborg
    Grenade

    Small bricking, not many injured

    Well, that's what you get for running mundane 3rd party apps on your magical Jobsbox.

  13. Gordon Pryra
    Coat

    Is it true

    That Apple HQ is actually constructed of bricked Macs and iPhones created during "updates"?

  14. Dan Price
    Jobs Halo

    Huh.

    This would never have happened on a Mac.

  15. Kool-Aid drinker

    How many people need WDE?

    Really, how many of us need WDE on a laptop/desktop machine? Mac users can protect data by using the built-in FileVault utility, which although not perfect is a whole lot better than allowing any Symantec products near a machine.

    1. chr0m4t1c

      I suspect

      These are probably corporate users.

      These third party disk encryption systems tend to have useful functionality like allowing a "master" administration password to be set so the company can retain access to the data, or allowing several legitimate users all access the same data on one machine.

      I don't think FileVault offers that sort of thing. In addition to that, FileVault creates a virtual container for each user with the option enabled and it disables backups of the files inside the container - you can only backup the container itself and *only* when the user is logged out.

      Considering the work Apple puts into the usability of the rest of the OS features (e.g. Time Machine), FileVault is particularly poor.

      1. Anonymous Coward
        Thumb Down

        Depends on your perspective

        If you are the IT goon wanting to lord over all, then you want Windows. If you are the user, you want to be able to control what is on YOUR computer, then you want the Mac. And forget about that ridiculous mantra of 'open' and all the BS that purports. With Apple YOU THE USER are the customer, not the IT guy. With Mac, you don't NEED AN IT GUY.

        So, we understand how you IT guys feel.

        Serves them right for NOT using file vault, and paying extra for using Symantec???? Who made that decision? That is idiotic, and any good Mac user could have told you this. Google it.

        1. Anonymous Coward
          Thumb Up

          Ironically challenged

          Thank you for that hilarious performance art. The worst part is, plenty of people actually swallow that guff. Marketing and ideology, what's the difference?

    2. Wibble

      EVERYONE needs WDE

      FileVault is a half-arsed solution that doesn't work with TimeMachine. It only encrypts the /users directory leaving all the system files and applications unencrypted.

      Whole disc encryption means everything is encrypted all the time. No exceptions.

      Who needs it; everyone who values their personal information. E.g. everyone. Anyone who carries other people's data around has a duty of care to protect it, for example your address book or email archive, or your client's information.

      Laptop computers, particularly the shiny Macs, are prime targets for thieves. Just take a laptop bag into a pub in London and see how quickly it's stolen. WDE with a decent pass phrase and decent (different) logon password will render the laptop's data useless to all but the most determined or security services.

      I struggle to understand how people don't get this simple fact.

      BTW Symantec only recently bought PGP. There's only one other WDE system for a Mac which is owned by a company that's even less desirable than Symantec. TruCrypt WDE isn't available on the Mac.

  16. Velv
    FAIL

    Easy fix....

    ... except ...

    Since your machine no longer boots, how do you get on the internet to

    a) find out that other people are having the same problem; and

    b) get a hold of the instructions on how to complete the fix.

    I can image an awful lot of Fanbois paying a "Genius" for the fix - way to go Apple, keep your consultancy rates up by breaking your software.

    1. ThomH

      Except that seeing the Geniuses is free

      And, where possible, the fixes they perform are free. They're one of the reasons that Apple always tops customer service satisfaction polls.

      Not sure how likely they are to play the "it's third party software, you deal with it" card though.

    2. Michael C

      uh...

      ...you call apple support. ...and they tell you the answer, since they actually support both the OS and the device its on unlike the competition.

      If you failed to make and keep safe a PGP recovery CD, that's your fault for not reading the manual and understanding that is a MUST DO part of keeping the system secure, especially if you needed to do so in a way File Vault could not by itself suffice.

      If you were dumb enough to install an OS update while not at home, or in a place you could roll back said recovery (and where you had just backed up immediately before doing the update), then, also, your fault.

      OS updates go bad. The updater itself warns you of this possibility, including that you have to be plugged into a power source, not to turn the machine off, have a recent backup, etc. If you installed the update in a coffee shop, no where near your time machine backup or PGP recovery disk, and lost access to your machine, temporarily as a result (its not bricked, it is not in need of hardware replacement due to this, bad author), then I have nothing more to do than laugh at you. If you were in the middle of critical business and chose to do an update? dumb, just dumb.

  17. Anonymous Coward
    Coat

    Always carry a spare

    "Since your machine no longer boots, how do you get on the internet to a) find out that other people are having the same problem; and b) get a hold of the instructions on how to complete the fix."

    From that spare old Windows or Linux or classic-Mac box over in the corner, kept around for just such purposes.

    Not that mom-n-pop Average User would necessarily have such a spare, nor understand why it would be useful, not to mention the fact that they shouldn't *have* to resort to such measures in the first place.

    (Works for me though, except in reverse - I keep my old Mac machine as a spare for when I screw up something on my other main non-Mac computer.)

    But my little workaround there goes against the premise of the "It Just Works" thing that some Mac users expect - they probably figure they'd left all that stuff behind when/if they switched to Mac from some other OS.

    Computers - *any* of 'em - are just not all that reliable, regardless of which OS a person chooses to use.

    I think the average home user expects too much from their computers, which isn't helped by various companies' marketing strategies that encourage people to think that computers are dependable trouble-free appliances.

    A/C because I just woke up and am probably writing incomprehensible nonsense :)

    1. Mike Flugennock
      Thumb Up

      Bravo!

      It sounds like a silly remark on the face of it, but really, you're right on there.

      I have my "main" Mac, a hot-rodded dual G4 minitower, the workhorse of the studio; my "road" Mac, a G4 iBook -- and the "emergency" Mac, a twelve-year-old beige desktop G3 -- with the still-functioning scanner of the same vintage hooked up to it -- which used to be the main studio machine but is now the spare. It's only powered up when needed, like when someone sends me art or layouts created in ancient versions of FreeHand, Illustrator or PageMaker, or when I need to scan something. (Yeah, I know, but I'm one of those guys who'd buy a car brand-new and drive it until it fell apart -- back when I still owned a car. I do keep my eye out on USB scanner reviews for when the old Microtek finally dies)

      I also use the old G3 as my TV set; it's still got the old ixMicro "Turbo TV" card in it, hooked up to a VCR which, in turn, has a DTV converter box patched into it via RCA line-ins. Works great.

    2. Mark 65
      Coat

      @AC: Wrong

      You find out other people are having the same problem by accessing the internet using your shiny iPhone or iPad of course.

  18. John I'm only dancing
    Thumb Down

    Shock, Horror!!

    Symantec software borks Mac. Well I never. I would not have any of their piles of dog excretia anywhere near my trusty Apple.

  19. Wibble

    How long to de/re crypt a drive?

    Encryption of a whole-disc-encrypted hard drive takes ages. It took 7 hours for a 3GHz MBP 17" on a 500Gb 7200RPM drive when I did this a couple of weeks ago after a hard disc failure.

    No doubt it's the same to decrypt?

    I *have* to run PGP whole-disc-encryption as it's the only one available. Apple only supply a half-arsed solution, FileVault, which DOESN'T work with Time Machine. There's one other company that does WDE, but they're on my list of "I just don't trust them".

    Pity -- or maybe just as well -- that TruCrypt doesn't work on the Mac for a bootable full-disc encryption solution.

    A HUGE thankyou to TheRegister forum poster "uncertified-dba" who made everyone aware of this yesterday.

    1. Anonymous Coward
      Happy

      There's your problem ...

      It took 7 hours for a 3GHz MBP 17" on a 500Gb 7200RPM drive when I did this a couple of weeks ago after a hard disc failure.

      Shoulda got the 19", you'd have been done much quicker.

  20. Robert Carnegie Silver badge

    Maybe don't encrypt the operating system partition then

    or am I missing the point? I mean, yes, "whole disk", but, um, why?

    1. Galidron

      easy

      Sure if you can insure that no sensitive data will every be on the system partition then there is no need. As long as you know there will be no IP addresses in /etc/hosts and that no document will ever be saved there, and that there are never any temp files there, and that the partition isn't shared with any non-system file systems then there is no need to encrypt it.

    2. Wibble
      Unhappy

      Filevault doesn't work

      FileVault doesn't work with Time Machine.

      Nothing more to add.

      1. Francis Fish
        Happy

        Works for me

        As long as you remember to log out occasionally and let it recover the space ... even if you use sleep all the time, it still works in Finder, but the sexy GUI doesn't work.

  21. Callum
    Grenade

    truecrypt

    hate to be a killjoy, but my Fedora linux install had a single check box "encrypt this partition" during installation - it has been through 3 major OS updates and a squidzillion minor updates without ever needing any maintenance.

    boohoo. I feel like I'm missing out on something.

  22. Stevie

    Bah!

    Unfortunate, inconvenient but not an indication that anyone was brain-dead when buying or is Hitler personified for going into an Apple Shoppe with Purchase Aforethought.

    The real issue here is that, as always, you won't see this story outside of El Reg and the Mac /PGP forums. Had it happened on a Wintel platform, not only would your morning radio show have led with the news but it would be a feature you could read on any milk carton by now.

    The problem I have with the Apple community is the conspiracy of silence when stuff don't work, not their choice of equipment manufacturer.

    (six pages of personal detrimental experience of same deleted for brevity and reduction of blood pressure).

  23. Anonymous Coward
    Anonymous Coward

    And the fanbois are out if force today, starting with the author.

    You know if this were an MS or Google product, this would have been labeled an Epic Fail instead of a Goof in the article.

    Not screwed by this particular problem because I work only on Windows, but I've been screwed by it often enough on this side. The problem is inherent with any whole disk encryption product. While the solution is straight forward, 10-30 hours per system to fix things for a corporate environment, particularly given government PII security regs, creates major problems. Filevault simply does not meet government requirements for handling PII. I wasn't in the group supporting MACs on my last job, but they had that specific issue and had to purchase third party software to get the contracts.

  24. mmm mmm

    This is what we like

    Anything that shows Apple in a less than shining light.

  25. Anonymous Coward
    Grenade

    I think i found the problem!

    Symantec-owned PGP

    Apple, Windows and anything else that has the misfortune of hosting their software, will eventually get Symantec-pwned

  26. Tron Silver badge

    A shocker.

    Two big arrogant companies happier to piss on their users than do the basic checks.

    Lots of grief thinking that you had lost your data, and how do you know about the fix if it is your only computer, unless you wipe it, rebuild from scratch and then go online...to see there was an easy fix.

    Any other environment than tech there would be compensation, but tech companies just get away with it.

    Most encryption software is more trouble than it's worth. You are more likely to forget the password or lose everything in a crash (encrypted data being largely unrecoverable) than have your PC nicked.

    Keep your confidential data off your PC, certainly off your laptop. Carry it on an SD card or a USB stick. Don't let your browser on your laptop store your passwords. A little DIY with a sewing kit can get you a reasonably secure pouch in your jacket or trousers for a storage device. You'd think clothing manufacturers would have thought of that by now. You can never have too many pockets, and muggers rarely steal your trousers.

    [A second wallet with £20, a fake ID with a fake address and a couple of out of date credit cards is also handy. If you have an expensive smartphone, carry a small, cheap PAYG as well. Look terrified and rapidly hand over the cheap phone and second wallet.]

    The government will simply bang you up if you don't tell them your password (or can't remember it) should they want to see your data. Then they will hammer away until they break your encryption. Post 9/11, you haven't got any civil rights, so why spend the money on encryption?

    And of course, commandment 1, b*ck up. Because Apple, Microsoft and most other tech companies regularly f*ck up.

    1. dylan 4
      Black Helicopters

      paranoid much?

      "any other environment than tech there would be compensation" - name ONE such environment where a company hands over compensation for a repairable fault when the user failed to follow basic commonsense precautions?

      I would do (and have done) the second wallet, spare credit card, spare passport thing in seriously dodgy places like crowded marketplaces in La Paz or Nairobbery, when no money/no ID would mean missing flights and being stuck for days/weeks, but couldn't fathom living my life with this attitude.

  27. John Savard

    Problems

    It is true that if you upgrade to a new version of Windows, you may experience some problems with some installed software.

    However, with Windows, usually there's no reason to spend money on upgrading. Just leave the machine with its original OS, except for service packs. When you buy a new machine is time enough to get the latest operating system. So, except when a service pack causes problems, the issue can be entirely avoided.

    Apparently, with the Macintosh, it's more important to keep up-to-date.

  28. Anonymous Coward
    Grenade

    Am I a bit thick ,,,

    or is WDE a bit of overkill in most cases ?

    Encryption is there to protect data, which should be on a separate partiion anyway - just encrypt that. And before I get shouted down by the crowd, I'm aware that won't encrypt your registry and most temporary files (although moving your user folder onto an encrypted partition is fairly good practice). But it's like security for your car - you can only go so far.

    1. Matt_payne666

      yes you are!!

      In the corporate environment its a belt and braces approach, WDE is, in my opinion the only way forwards... the amount of people leaving laptops, etc out for people to steal or leaving them in bars is scary...

      Imagine for some reason a laptop with child protection data for your kids, or you bank details gets stolen, would you feel more comfortable knowing that is only half encrypted?

      control of the whole disk is also easier to impliment at the corporate level too... leaves less holes for things to leak out of...

      If people want to use macs for real work, then, just like thier windows equvilents, they need to be protected from the user.

      Do I use WDE? not on my personal laptop, but the work one, yes,.

      Have I had an issue with updates? no... everything is controlled from the domain, with updates being rolled out via wds after extensive testing with our hardware/software configs. There is the issue that we arnt on the bleeding edge of security, but in reality, with a work laptop being used for work, and controls as to what we can and cant do, its not so much of an issue and things just work!

This topic is closed for new posts.