Game of File Systems | TechSNAP 272

Game of File Systems | TechSNAP 272

What’s got Windows admins in a Panic? Total chaos my friends, we’ll tell you why. Extensive coverage of Apple’s new filesystem, Ransomware that might just impress you…

Your great questions, our answers, a packed round up & much, much more!

Thanks to:




Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:


Show Notes:

Windows Admins in panic after Microsoft fix breaks Group Policies

  • Group Policies are a powerful set of Windows registry settings that are downloaded and applied when a computer and/or user login to a domain controller.
  • Group Policy Objects (GPOs) allow Administrators to control settings and access to Windows computers centrally. They allow things like disabling the run menu, hiding specific drives, controlling access to applications, and even application whitelisting
  • On June 14th, Microsoft released MS16-072: Security update for Group Policy rated “Important for all supported releases of Microsoft Windows”
  • “An elevation of privilege vulnerability exists when Microsoft Windows processes group policy updates. An attacker who successfully exploited this vulnerability could potentially escalate permissions or perform additional privileged actions on the target machine.
    To exploit this vulnerability, an attacker would need to launch a man-in-the-middle (MiTM) attack against the traffic passing between a domain controller and the target machine. An attacker could then create a group policy to grant administrator rights to a standard user. The security update addresses the vulnerability by enforcing Kerberos authentication for certain calls over LDAP.”
  • later Microsoft released a knowledge base article about this issue: KB 3163622
  • “MS16-072 changes the security context with which user group policies are retrieved. This by-design behavior change protects customers’ computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the computer’s security context.”
  • “Symptoms: All user Group Policy, including those that have been security filtered on user accounts or security groups, or both, may fail to apply on domain joined computers.”
  • “Cause: This issue may occur if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group.”
  • Resolution:
  • To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps:
  • Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
  • If you are using security filtering, add the Domain Computers group with read permission.
  • This issue struck a large number of Windows administrators, some of them extremely hard
  • GPOs are the main tool administrators have to enforce policies throughout the network
  • One admin reported: “desktop images were configured such that the A, B, C and D drives that were hidden from users, but they are now showing up”
  • This was likely done to keep users from accidentally saving files to the local computer, rather than the network where they can be accessed from other computers, and centrally backed up.
  • “Other users report having printers and drive maps become inaccessible and security group settings no longer applying”

More coverage of APFS, in detail this time

  • Building on the post from last week, Adam Leventhal breaks down his early analysis of APFS
  • “APFS, the Apple File System, was itself started in 2014 with Dominic as its lead engineer. It’s a stand-alone, from-scratch implementation. I asked him about looking for inspiration in other modern file systems such as BSD’s HAMMER, Linux’s btrfs, or OpenZFS, all of which have features similar to what APFS intends to deliver. Dominic explained that while, as a self-described file system guy (he built the file system in BeOS), he was aware of them, but didn’t delve too deeply for fear, he said, of tainting himself.”
  • “APFS first and foremost pays down the unsustainable technical debt that Apple has been carrying in HFS+. HFS was introduced in 1985 when the Mac 512K (of memory!) was Apple’s flagship. HFS+, a significant iteration, shipped in 1998 on the G3 PowerMacs with 4GB hard drives. Since then storage capacities have increased by factors of 1,000,000 and 1,000 respectively.”
  • Compression: “in typical Apple fashion—neither confirmed nor denied while strongly implying that it’s definitely a feature we can expect in APFS”
  • Encryption: “Encryption is clearly a core feature of APFS. This comes from diverse requirements from the various devices, for example multiple keys within file systems on the iPhone or per-user keys on laptops”
  • Filesystems (and possibly individual files) will support 3 different flavours:
  • Unencrypted
  • Single-key for metadata and user data
  • Multi-key with different choices for metadata, files, and even sections of a file (“extents”)
  • “Multi-key encryption is particularly relevant for portables where all data might be encrypted, but unlocking your phone provides access to an additional key and therefore additional data. Unfortunately this doesn’t seem to be working in the first beta of macOS Sierra (specifying fileEncryption when creating a new volume with diskutil results in a file system that reports “Is Encrypted” as “No”).”
  • “APFS (apparently) supports constant time cryptographic file system erase, called “effaceable” in the diskutil output. This presumably builds a secret key that cannot be extracted from APFS and encrypts the file system with it. A secure erase then need only delete the key rather than needing to scramble and re-scramble the full disk to ensure total eradication. Various iOS docs refer to this capability requiring some specialized hardware; it will be interesting to see what the option means on macOS. Either way, let’s not mention this to the FBI or NSA, agreed?”
  • Snapshots: APFS will support snapshots, but likely not the same type of serialization that “zfs send” provides. “ZFS sends all changed data while Time Machine can have exclusion lists and the like.”
  • “APFS right now is incompatible with Time Machine due to the lack of directory hard links, a fairly disgusting implementation that likely contributes to Time Machine’s questionable reliability. Hopefully APFS will create some efficient serialization for Time Machine backup.”
  • “While Eric Tamura, APFS dev manager, demonstrated snapshots at WWDC, the required utilities aren’t included in the macOS Sierra beta.”
  • Management: “APFS brings another new feature known as space sharing. A single APFS “container” that spans a device can have multiple “volumes” (file systems) within it. Apple contrasts this with the static allocation of disk space to support multiple HFS+ instances, which seems both specious and an uncommon use case. Both ZFS and btrfs have a similar concept of a shared pool of storage with nested file systems for administration and management.”
  • Clones: “Apple’s sort-of-unique contribution to space efficiency is constant time cloning of files and directories.” “With APFS, if you copy a file within the same file system, no data is actually duplicated. Instead a constant amount of metadata is updated and the on-disk data is shared. Changes to either copy cause new space to be allocated (so-called “copy on write” or COW).”
  • “As a quick aside, “files” in macOS are often really directories; it’s a convenient lie they tell to allow logically related collections of files to be treated as an indivisible unit. Right click an application and select “Show Package Contents” to see what I mean.”
  • “Side note: Finder copy creates space-efficient clones, but cp from the command line does not.”
  • Performance: “APFS claims to be optimized for flash” “SSDs mimic the block interface of conventional hard drives, but the underlying technology is completely different. In particular while magnetic media can read or write sectors arbitrarily, flash erases large chunks (blocks) and reads and writes smaller chunks (pages). The management is done by what’s called the flash translation layer (FTL), software that makes blocks and pages appear more like a hard drive. An FTL is very similar to a file system, creating a virtual mapping (a translation) between block addresses and locations within the media. Apple controls the full stack including the SSD, FTL, and file system; they could have built something differentiated, optimizing this components to work together. What APFS does, however, is simply write in patterns known to be more easily handled by NAND. It’s a file system with flash-aware characteristics rather than one written explicitly for the native flash interfaces, more or less what you’d expect in 2016.”
  • “APFS includes TRIM support. TRIM is a command in the ATA protocol that allows a file system to indicate to an SSD (specifically, its FTL) that some space has been freed.”
  • “APFS also focuses on latency; Apple’s number one goal is to avoid the beachball of doom. APFS addresses this with I/O QoS (quality of service) to prioritize accesses that are immediately visible to the user over background activity that doesn’t have the same time-constraints. This is inarguably a benefit to users and a sophisticated file system capability.”
  • Redundancy: “APFS makes no claims with regard to data redundancy. As Apple’s Eric Tamura noted at WWDC, most Apple devices have a single storage device (i.e. one logical SSD) making RAID, for example, moot. Instead redundancy comes from lower layers such as Apple RAID (apparently a thing), hardware RAID controllers, SANs, or even the “single” storage devices themselves.”
  • “Also, APFS removes the most common way of a user achieving local data redundancy: copying files. A copied file in APFS actually creates a lightweight clone with no duplicated data. Corruption of the underlying device would mean that both “copies” were damaged whereas with full copies localized data corruption would affect just one.”
  • Crash Consistency: In order to maintain consistency of the file system after a crash, you need to be able to revert any incompleted operations. The problem is that a typical file system overwrites data in place, making this impossible
  • “APFS claims to implement a “novel copy-on-write metadata scheme”; APFS lead developer Dominic Giampaolo emphasized the novelty of this approach without delving into the details. In conversation later, he made it clear that APFS does not employ the ZFS mechanism of copying all metadata above changed user data which allows for a single, atomic update of the file system structure.”
  • So APFS does COW for metadata, but not for data. Meaning the filesystem will be consistent, but your data might not be
  • “It’s surprising to see that APFS includes fsck_apfs—even after asking Dominic I’m not sure why it would be necessary.”
  • Checksums: “Notably absent from the APFS intro talk was any mention of checksums. A checksum is a digest or summary of data used to detect (and correct) data errors. The story here is surprisingly nuanced. APFS checksums its own metadata but not user data. The justification for checksumming metadata is strong: there’s relatively not much of it (so the checksums don’t consume much storage) and losing metadata can cast a potentially huge shadow of data loss. If, for example, metadata for a top level directory is corrupted then potentially all data on the disk could be rendered inaccessible. ZFS duplicates metadata (and triple duplicates top-level metadata) for exactly this reason.”
  • So ZFS can recover from corrupt metadata even in a single device configuration, because metadata is always stores as 2 complete copies, or 3 for important pool-wide metadata
  • “Explicitly not checksumming user data is a little more interesting. The APFS engineers I talked to cited strong ECC protection within Apple storage devices. Both flash SSDs and magnetic media HDDs use redundant data to detect and correct errors. The engineers contend that Apple devices basically don’t return bogus data.”
  • So Apple relies on the hardware to do the right thing, this is likely to backfire eventually
  • “The Apple folks were quite interested in my experience with regard to bit rot (aging data silently losing integrity) and other device errors. I’ve seen many instances where devices raised no error but ZFS (correctly) detected corrupted data. Apple has some of the most stringent device qualification tests for its vendors; I trust that they really do procure the best components. Apple engineers I spoke with claimed that bit rot was not a problem for users of their devices, but if your software can’t detect errors then you have no idea how your devices really perform in the field. ZFS has found data corruption on multi-million dollar storage arrays; I would be surprised if it didn’t find errors coming from TLC (i.e. the cheapest) NAND chips in some of Apple’s devices. Recall the (fairly) recent brouhaha regarding storage problems in the high capacity iPhone 6. At least some of Apple’s devices have been imperfect.”
  • Scrub: “As data ages you might occasionally want to check for bit rot. Likely fsck_apfs can accomplish this; as noted though there’s no data redundancy and no checksums for user data, so scrub would only help to find problems and likely wouldn’t help to correct them. And if it makes it any easier for Apple to reverse course, let’s say it’s for the el cheap-o drive I bought from Fry’s not for the gold-plated device I got from Apple.”
  • Conclusions: “Any file system started in 2014 should of course consider huge devices, and SSDs–check and check. Copy-on-write (COW) snapshots are the norm; making the Duplicate command in the Finder faster wasn’t much of a detour. The use case is unclear, it’s a classic garbage can theory solution, a solution in search of a problem, but it doesn’t hurt and it makes for a fun demo. The beach ball of doom earned its nickname; APFS was naturally built to avoid it.”
  • “There are some seemingly absent or ancillary design goals: performance, openness, and data integrity. Squeezing the most IOPS or throughput out of a device probably isn’t critical on watchOS, and it’s relevant only to a small percentage of macOS users. It will be interesting to see how APFS performs once it ships (measuring any earlier would only misinform the public and insult the APFS team).”
  • “APFS development docs have a bullet on open source: “An open source implementation is not available at this time.” I don’t expect APFS to be open source at this time or any other, but prove me wrong, Apple. If APFS becomes world-class I’d love to see it in Linux and FreeBSD–maybe Microsoft would even jettison their ReFS experiment. My experience with OpenZFS has shown that open source accelerates that path to excellence. It’s a shame that APFS lacks checksums for user data and doesn’t provide for data redundancy. Data integrity should be job one for a file system, and I believe that that’s true for a watch or phone as much as it is for a server.”
  • “At stability, APFS will be an improvement, for Apple users of all kinds, on every device. There are some clear wins and some missed opportunities. Now that APFS has been shared with the world the development team is probably listening. While Apple is clearly years past the decision to build from scratch rather than adopting existing modern technology, there’s time to raise the priority of data integrity and openness. I’m impressed by Apple’s goal of using APFS by default within 18 months. Regardless of how it goes, it will be an exciting transition.”
  • I am not sure anyone has ever wanted an “Exciting” filesystem.

New Ransomware written entirely in javascript, RAA

  • A new crypto ransomware has made an appearance on the Internet, and it is slightly unusual.
  • The malware arrives as an attachment pretending to be a .doc file, but is actually .js
  • For whatever reason, the default file association for .js on Windows is the Windows Scripting Host, so when opened, the javascript actually executes
  • The javascript standard library does not include any encryption mechanisms, however the designers of the malware bundled CryptoJS, a framework that provides standard crypto primitives like AES256 in pure javascript
  • The ransomware demands around $250 worth of bitcoin for the key to decrypt your files
  • The ransomware also comes bundled with an embedded password stealing malware
  • So even if you pay, the attackers have already stolen all of your saved passwords
  • Once the ransomware is run, it generates a random .doc file and opens it. The object is to make the user think the file was corrupt, and avoid the user being suspicious
  • “While the victim thinks the attachment is corrupted, in the background the RAA Ransomware will start to scan all the available drives and determine if the user has read and write access to them. If the drives can be written to, it will scan the drive for targeted file types and use code from the CryptoJS library to encrypt them using AES encryption”
  • It also seems to purposely disables the Windows Volume Shadow Copy service. May also destroy actual shadow copies, code is too obfuscated to tell right now.
  • “Finally, the ransomware will create a ransom note on the desktop called !!!README!!![id].rtf, with [ID] being the unique ID assigned to the victim. The text of this ransom note is in Russian”
  • “When a JavaScript file, such as RAA, executes outside of the browser it requires an interpreter that can read the file and execute the JavaScript commands within it. As most people do not need to execute Javascript outside of a web browser, it is suggested that everyone disables the Windows Script Host so that these types of files are not allowed to execute. If you wish to disable the windows script host, which is enabled by default in Windows, you can add the following DWORD Registry entry to your computer and set the value to 0.”
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\Enabled
  • You probably don’t need to execute javascript on your machine anyway. Push this out as a group policy… and hope it works 😉


Round Up:

Question? Comments? Contact us here!