|Home » Industry Watch
Ye who've preferred clicking to learning are getting your just rewards.
Both Carbon Copy Cloner and OnyX have been found to broadcast passwords in the clear.
Q: Why is this such a big deal?
A: Because it's shitty software engineering and because it leaves you wide open to attack.
Q: How does it leave me open to attack?
A: Your password's sent in the clear. Any interloper, physical or virtual, can pick it up 'just like that' and see what your password is and compromise (hijack) your machine. In fact it's so simple it can be written in a simple shell script hidden on your hard drive - it doesn't even take 'real programming'.
Q: What can I do about this?
A: Stop using these kiddie toys immediately. With Carbon Copy Cloner you might have to search far and wide for a replacement, but with OnyX you can use CLIX - or Terminal.app - which essentially is the same thing. Do not trust any of the 'GUI front ends' for Terminal: as Cocktail, they're probably all wide open because they're all pulling the same dumbass stunt.
Q: How about CLIX?
A: CLIX isn't affected. It doesn't work the same way. (It's better.)
Q: Will the vendors fix these vulnerabilities?
A: They might - but to do so might require a level of expertise they don't currently possess.
Q: Is there a workaround for these vulnerabilities?
A: No. Good luck finding a better Carbon Copy Cloner (good luck to the vendor) but as for all those 'system optimisers' - give it up: you shouldn't have been using them in the first place. Get a life, get an education, get a book on Unix - and get CLIX.