Hypocrisy of enterprise IT security

Quick rant. In work I've been debuging issue with some customers. Recently we updated how our virtual camera works on MacOS. Before we use the DAL interface and now switched to the more secure system extension. DAL works more like how Windows implements virtual camera using Direct Show. The system loads a dynamic library into apps that wants to use it. There's obvious problems, any DAL plugin can execute arbitrary code at that point. Including reading the process's memory and steal confidential information. Also, since DAL is executing as another app. You need a daemon to transport video frames from source to destination.

So Apple introduced the new API, System extensions. It runs the extension in it's own "sandbox" (ignoring technical details here) and the system does the IPC. Basically a microkernel design so app developers can have low level access to the system while keeping system integrity. Extension can't read anything it shouldn't. After we released this upgrade. Some of our enterprice customers started to complain that they can't install the system extension. We did soem debugging with them. Turns out MDM software can and commonly will block 3rd party system extensions from loading.

This is already stupid. They are actively saying "you should totally use the old API that let's 3rd party load arbitrary code into your browser".

Now the more stupid part. In the DAL approach, due to the need to support multiple users and deal with app sandbox, we are forced to run our transport daemon AS F**KING ROOT. And MDM vendors allowed it. Yet they complain system extension is too dangerous to allow because it directly interacts with the kernel? We can already wreak havoc many, many times and even kill your MDM process, heck brick the entire OS. Sure you have kernel level access, but that doesn't stop anyone from doing stupid stuff with root power.

Oh the hypocrisy. This is why I will never work for some enterprice. Not before managers are educated with some real InfoSec.

As a side note. Stealing documents from a MDM-ed machine is easy. Ever tried bitbanging through the audio jack? It's slow, easy, fun, doable with tools preinstalled on the two relevant enterprise desktop OS and makes manager's jaw drop when I returned 30 minutes later with their top secret. No, blocking USB, forcing VPN and demanding strong passwords does not stop a sophisticated attack with physical access.

Author's profile. Photo taken in VRChat by my friend Tast+
Martin Chang
Systems software, HPC, GPGPU and AI. I mostly write stupid C++ code. Sometimes does AI research. Chronic VRChat addict

I run TLGS, a major search engine on Gemini. Used by Buran by default.

  • marty1885 \at protonmail.com
  • Matrix: @clehaxze:matrix.clehaxze.tw
  • Jami: a72b62ac04a958ca57739247aa1ed4fe0d11d2df