Slashdot Mirror
Apple Plugs Software Update Hole
hype7 writes "Apple's getting quick! Less than 5 days after the recently reported software update vulnerability was discovered, Apple have a patch plugging the hole. Apparently, packages now presented via the Software Update mechanism are cryptographically signed, and the new Software Update client 1.4.6 checks for a valid signature before installing any new packages."
Was there a worm hole in the apple?
"they have patches :D"
A story was posted on the front page not 5 minutes ago. Damnit! YOU'RE CONFUSING THE USERS!
"Blessed are the poor in threshold: for theirs is the Kingdom of the Page-Lengthening and Page-Widening Posts.
"Blessed are they that mourn the death of *BSD: for they shall be comforted with an ultradense Linux server from VA Linux, now sold by California Digital Corporation.
"Blessed are the posters of smug one-liners: for they shall inherit an Account Capped at 50.
"Blessed are they which do hunger and thirst after The First Post: for they shall have the Third or Fourth Post.
"Blessed are the karma whores: for they shall obtain "Score: 5, Insightful".
"Blessed are those who dismiss out-of-hand: for they shall fail to see the Point of the Original Post.
"Blessed are those who seek to associate themselves with the latest techno-fad: for they shall be called 3L33T for at least Another Half Hour.
"Blessed are they which are persecuted for their own self-righteousness' sake: for theirs is the Kingdom of "Ask Slashdot".
"Blessed are the over-eager, who believe that Open Source is a social movement heralding the rise of a new generation: for they shall not realize that There Are No Sacred Cows.
"Blessed are ye, when men shall revile you, and persecute you, and shall say all manner of evil against you falsely, for the sake of your Favorite Operating System.
"Rejoice, and be exceeding glad: for great is your reward in Heaven: for so persecuted they the prophets which were before you.
THIS IS THE WORD OF THE LORD
Maybe they should work on securing their OS by design.
We wouldn't want all those people more intelligent than the rest of us to get rooted.
Call (206) 338-5780 COLLECT for information about a genuine BA, BS, MA, MS, MBA, or Ph.D.
Do you use the software update mechanism to update the software update mechanism?
IIRC, doesnt MS's Windows Update already do something like SHA1 (or some other algorithm) signiture checking?
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
Micrisift is nipping at their heels on turnround time. What a great position to be in.
(Insert obligtatory Linux plug here)
Do not fold, spindle or mutilate.
Subject line says all...
"How to Do Nothing," kids activities, back in print!
I know, I know. I should go work on discrediting the Apollo missions, too. ;-)
*LONG LIVE*
As a Tibook owner I'm darn glad Apple is getting more serious about releasing security patches. Now that they've entered the server market (with the Xserve), they really have no choice.
True, Apple has said that OS 9 is dead, but there's a hell of a lot of installations out there, and they all use an insecure Software Update mechanism as well. Apple needs to do the right thing and fix it for those who haven't upgraded because they can't (like those with hardware whose drivers haven't been updated yet), and to prevent Classic from becoming its own security hole.
I use Macs for work, Linux for education, and Windows for cardplaying.
the reason it was so quick, was that they had probably included these crypto-features in their new upcoming os release(s)... they could have just done a diff ...
but who knows? maybe they are quick!
- david
So this is what you guys have resorted to?
Slashdroids have crippled this site beyond any useful functionality(url filter? 20 second wait time for posting?) that it's no wonder people have stopped coming.
Well, I've got news for you, bud. Your new filter is broken.
I haven't posted in almost a week, and my karma is just fine. Thank you for giving me another reason not to bother coming back.
And you say the MPAA is good at driving away it's own customers? Pssssh!
I might buy one. However, since every time I get ready to purchase one I read an article about how they are screwing someone, I'll have to pass (yet again).
Just post AC and move on you're merry way. What you say doesn't need points (unless your self esteem is low or something).
Credits: onby
1. Introduction
As everyone knows, Open Source software is the wave of the future. With the market share of GNU/Linux and *BSD increasing every day, interest in Open Source Software is at an all time high.
Developing software within the Open Source model benefits everyone. People can take your code, improve it and then release it back to the community. This cycle continues and leads to the creation of far more stable software than the 'Closed Source' shops can ever hope to create.
So you're itching to create that Doom 3 killer but don't know where to start? Read on!
2. First Steps
The most important thing that any Open Source project needs is a Sourceforge page. There are tens of thousands of successful Open Source projects on Sourceforge; the support you receive here will be invaluable.
OK, so you've registered your Sourceforge project and set the status to '0: Pre-Thinking About It', what's next?
3. Don't Waste Time!
Now you need to set up your SourceForge homepage. Keep it plain and simple - don't use too many HTML tags, just knock something up in VI. Website editors like FrontPage and DreamWeaver just create bloated eye-candy - you need to get your message to the masses!
4. Ask For Help
Since you probably can't program at all you'll need to try and find some people who think they can. If your project is a game you'll probably need an artist too. Ask for help on your new Sourceforge pages. Here is an example to get you started:
"Hi there! Welcom to my SorceForge page! I am planing to create a Fisrt Person Shooter game for Linux that is going to kick Doom 3's ass! I have loads of awesome ideas, like giant robotic spiders! I need some help thouh as I cant program or draw. If you can program or draw the tekstures please get in touch! K thx bye!"
Thousands of talented programmers and artists hang out at Sourceforge ready to devote their time to projects so you should get a team together in no time!
5. The A-Team
So now you have your team together you are ready to change your projects status to '1: Pre-Bickering'. You will need to discuss your ideas with your team mates and see what value they can add to the project. You could use an Instant Messaging program like MSN for this, but since you run Linux you'll have to stick to e-mail.
Don't forget that YOU are in charge! If your team doesn't like the idea of giant robotic spiders just delete them from the project and move on. Someone else can fill their place and this is the beauty of Open Source development. The code might end up a bit messy and the graphics inconsistant - but it's still 'Free as in Speech'!
6. Getting Down To It
Now that you've found a team of right thinking people you're ready to start development. Be prepared for some delays though. Programming is a craft and can take years to learn. Your programmer may be a bit rusty but will probably be writing "hello world" programs after school in no time.
Closed Source games like Doom 3 use the graphics card to do all the hard stuff anyhow, so your programmer will just have to get the NVidia 'API' and it will be plain sailing! Giant robot spiders, here we come!
7. The Outcome
So it's been a few years, you still have no files released or in CVS. Your programmer can't get enough time on the PC because his mother won't let him use it after 8pm. Your artist has run off with a Thai She-Male. Your project is still at '1: Pre-Bickering'...
Congratulations! You now have a successful Open Source project on Sourceforge! Pat yourself on the back, think up another idea and do it all again! See how simple it is?
- poopbot: news for turds, stuff that splatters
seek. kill. destroy.
seak. ki1l. des+roy.
s3ak. ki1l. d3s+r0y.
53ek. ki1l. d35+r0y.
533k. |<i11. |)35+r0y.
533|<. |<|11. |)35+r0y.
THERE IS NO FREE SPEECH ON SLASHDOT.
people would be screaming about how slow and inefficient they were.
Hypocrites.
if you want to make sure this update is valid you can read the update info and verify the checksum
or for the extra paranoid, check the secure page
Apple has been really taking security seriously lately and this only helps to build confidence that the machine is capable of being used by more novice users who know nothing about the evils of being rooted.
It seems that the Janitors, in their infinite wisdom, have banned people who have low/negative karma from posting more than twice per day. Personally I find this completely stupid.
All the trolls will simply post AC as I am doing now. Proxies can be used to get around any ipid bans that result from AC trolls.
Surely it is better to let the trolls post at -1 where it is out of most peoples way rather than have them all post at 0 and suck up mod points and time from "legit" users?
I have tried to communicate my thoughts to the slashcode team but alas, to no avail. They are probably all sittin on their starwars bed sheets watching anime hentai tentacle rape pr0n.
Here is my proposal: All trolls that cannot post using their account post as AC. Use proxies if need be (www.antiproxy.com is a good source). I suspect this will show them how useless this idea is. Will blocking troll uid's stop trolls? NO! will ipid bans stop trolls? NO!
I seriously fail to see the point of this and consider it a stupid move by the janitors.
They want us to troll and crapflood at 0 rather than -1? Fine! So be it! No longer will we post at -1 where few people dare to visit, now we will post at 0 where we will be more visible and waste peoples time, energy and mod points! Hoorah!
The next thing you know, posting AC will be banned! Then what will you do? No more posting interesting insider tidbits! Groupthink all the way baby! oh yeah!
So logout, post shit, use proxies and above all have fun!
Let the games begin!
-- on by
so you think X acts odd?
look at good old mac os 9 where holding down the mouse button would freeze every process of copying or deleting files.
so what?
OS9 and OSX are VERY diferent from the ground up. I would be surprised if fundamental security issues that are found in one, exist in the other.
Cheers
Now Fritz and I can get them to working on that analog hole.
The new system of banning negative karma accounts after two posts (!) is... um... working.
Right.
woooooooooooo!
Àâ BÀâ Bap i Buddhistforbundet/ Karma Tashi Ling buddhistsamfunn Vi oppfordrer alle buddhister og buddhistvenner som føler at de sogner til Karma Tashi Ling, om å melde seg inn i Buddhistforbundet, med tilhørighet Karma Tashi Ling buddhistsamfunn. Medlemskap i Buddhistforbundet / Karma Tashi Ling buddhistsamfunn (KTLBS) er gratis. Karma Tashi Ling buddhistsamfunn samarbeider med seks andre buddhistiske organisasjoner og grupperinger i Buddhistforbundet (BF), som er Norges nest største ikke-kristne trossamfunn, med vel 6000 medlemmer. For mer informasjon, se brosjyren Buddhismen i Norge. OBS! Medlemskap i Karma Tashi Ling buddhistsamfunn er ikke det samme som støttemedlemskap i Karma Tashi Ling buddhistsenter. Det er to forskjellige forhold. Se brosjyren: Hvordan kan du holde deg informert om Karma Tashi Lings aktiviteter, kurs, lamabesøk og andre aktiviteter.... for mer informasjon om støttemedlemskap. Vi oppfordrer deg til å gjøre begge deler! For deg innebærer medlemskap i BF / Karma Tashi Ling buddhistsamfunn følgende fordeler: * Du tilbys buddhistiske livssiter * Du holdes informert om og inviteres til Buddhistforbundets arrangementer * BF taler din sak overfor myndigheter, skolevesen i livssynssaker etc. * Du får tilsendt BFs informasjonsbrosjyre ved hver ny revisjon. * Du får stemmerett på årsmøtet og blir også valgbar - om du ønsker - til Karma Tashi Lings styre (dersom du også tegner støttemedlemskap). Se egen brosjyre. * Og, som nevnt - det er fullstendig gratis Ditt medlemskap innebærer følgende fordeler for Karma Tashi Ling: * Årlige inntekter. Karma Tashi Ling mottar ca. kr. 300,- i gjennomsnitt pr. medlem pr. år fra stat og kommune, den såkalte kirkeskatten. Husk at denne skatten tilfaller statskirken også selvom du er utmeldt der, men ikke er innmeldt et annet tros- eller livssynssamfunn. * Sikrere og raskere gjennomføring av planer og prosjekter, som bygging av stupa, utbygginger, nye sentre etc. Jo flere medlemmer, jo sterkere stemme får buddhismen i Norge i religionspolitiske spørsmål, f.eks. i saker som religionsundervisning i skolen, påvirkning på lærebøker etc Betingelser: * Norsk lov krever at man bare kan være medlem av ett tros- eller livssynssamfunn. Du må derfor være utmeldt av f.eks. statskirken først (skjema til dette kan du få fra Karma Tashi Ling). Slik utmelding er ikke nødvendig for dem som er født utenfor Norge, med mindre man aktivt har meldt seg inn i et annet tros- eller livssynssamfunn etter at man kom til Norge. * Du må ha bopel i Norge. * Alle, både voksne og barn, kan meldes inn i KTLBS. For barn under 15 år, trengs underskrift fra foresatte. * Medlemskapet løper til skriftlig utmelding foreligger. * Du må gi skriftlig melding til Karma Tashi Ling buddhistsamfunn ved flytting. Hvordan går du fram: Støttemedlemskap Støttemedlemskap i Karma Tashi Ling buddhistsenter gir mange fordeler, ved siden av å støtte senteret. Du får brev med nyheter, rabatter ved arrangementer, hjemlån fra biblioteket. Skal du delta på hele eller store deler av kurset, vil du faktisk spare penger på å tegne støttemedlemskap. Støttemedlemskapet koster kr. 300,- pr. år. De som bor på samme adresse som en som har betalt full pris, betaler kr. 150,- i støttemedlemskap. Da mottar en ikke post . De som blir støttemedlem for første gang, etter 1. juli, betaler kun for et halvt år, kr. 150,-. Du kan sende inn kontingenten pr. postgiro: 0801 23 08427. Husk å merke blanketten med formålet med innbetalingen. Hvordan du kommer til Karma Tashi Ling Busstider: Det går buss nr. 71 fra Jernbanetorget (ca. 30 minutter kjøretid) til Nyjordet holdeplass. Avgang hverdager: 10, 25, 40, 55 min over hver time. I rushtiden på hverdager går det ekspressbuss, rute 51E (ca. 20 min. kjøretid) fra kl. 14.48 avgang 03, 18, 33, 48 over hver time til kl. 17.18. Deretter kl. 18.10 og videre 40 og 10 over hver time til 21.40. Lørdag er det rute (71) 10, 25, 40, 55
Krama: Bigdickinyoura
what a great way to sneak in a little trojan... spoof apple's own software update function and provide it for everyone under the guise of apple acting swiftly to patch a hole. put it up on a spoofed apple page and even provide a verification checksum to ease any suspician. ah well. would make a good movie twist...
The line between terrorist and patriot depends on which side of the molatov cocktail you are on.
As an enlightened, modern parent, I try to be as involved as possible in the lives of my six children. I encourage them to join team sports. I attend their teen parties with them to ensure no drinking or alcohol is on the premises. I keep a fatherly eye on the CDs they listen to and the shows they watch, the company they keep and the books they read. You could say I'm a model parent. My children have never failed to make me proud, and I can say without the slightest embellishment that I have the finest family in the USA.
Two years ago, my wife Carol and I decided that our children's education would not be complete without some grounding in modern computers. To this end, we bought our children a brand new Compaq to learn with. The kids had a lot of fun using the handful of application programs we'd bought, such as Adobe's Photoshop and Microsoft's Word, and my wife and I were pleased that our gift was received so well. Our son Peter was most entranced by the device, and became quite a pro at surfing the net. When Peter began to spend whole days on the machine, I became concerned, but Carol advised me to calm down, and that it was only a passing phase. I was content to bow to her experience as a mother, until our youngest daughter, Cindy, charged into the living room one night to blurt out: "Peter is a computer hacker!"
As you can imagine, I was amazed. A computer hacker in my own house! I began to monitor my son's habits, to make certain that Cindy wasn't just telling stories, as she is prone to doing at times.
After a few days of investigation, and some research into computer hacking, I confronted Peter with the evidence. I'm afraid to say, this was the only time I have ever been truly disappointed in one of my children. We raised them to be honest and to have integrity, and Peter betrayed the principles we tried to encourage in him, when he refused point blank to admit to his activities. His denials continued for hours, and in the end, I was left with no choice but to ban him from using the computer until he is old enough to be responsible for his actions.
After going through this ordeal with my own family, I was left pondering how I could best help others in similar situations. I'd gained a lot of knowledge over those few days regarding hackers. It's only right that I provide that information to other parents, in the hope that they will be able to tell if their children are being drawn into the world of hacking. Perhaps other parents will be able to steer their sons back onto the straight and narrow before extreme measures need to be employed.
To this end, I have decided to publish the top ten signs that your son is a hacker. I advise any parents to read this list carefully and if their son matches the profile, they should take action. A smart parent will first try to reason with their son, before resorting to groundings, or even spanking. I pride myself that I have never had to spank a child, and I hope this guide will help other parents to put a halt to their son's misbehaviour before a spanking becomes necessary.
1. Has your son asked you to change ISPs?
Most American families use trusted and responsible Internet Service Providers, such as AOL. These providers have a strict "No Hacking" policy, and take careful measures to ensure that your internet experience is enjoyable, educational and above all legal. If your child is becoming a hacker, one of his first steps will be to request a change to a more hacker friendly provider.
I would advise all parents to refuse this request. One of the reasons your son is interested in switching providers is to get away from AOL's child safety filter. This filter is vital to any parent who wants his son to enjoy the internet without the endangering him through exposure to "adult" content. It is best to stick with the protection AOL provides, rather than using a home-based solution. If your son is becoming a hacker, he will be able to circumvent any home-based measures with surprising ease, using information gleaned from various hacker sites.
2. Are you finding programs on your computer that you don't remember installing?
Your son will probably try to install some hacker software. He may attempt to conceal the presence of the software in some way, but you can usually find any new programs by reading through the programs listed under "Install/Remove Programs" in your control panel. Popular hacker software includes "Comet Cursor", "Bonzi Buddy" and "Flash".
The best option is to confront your son with the evidence, and force him to remove the offending programs. He will probably try to install the software again, but you will be able to tell that this is happening, if your machine offers to "download" one of the hacker applications. If this happens, it is time to give your son a stern talking to, and possibly consider punishing him with a grounding.
3. Has your child asked for new hardware?
Computer hackers are often limited by conventional computer hardware. They may request "faster" video cards, and larger hard drives, or even more memory. If your son starts requesting these devices, it is possible that he has a legitimate need. You can best ensure that you are buying legal, trustworthy hardware by only buying replacement parts from your computer's manufacturer.
If your son has requested a new "processor" from a company called "AMD", this is genuine cause for alarm. AMD is a third-world based company who make inferior, "knock-off" copies of American processor chips. They use child labor extensively in their third world sweatshops, and they deliberately disable the security features that American processor makers, such as Intel, use to prevent hacking. AMD chips are never sold in stores, and you will most likely be told that you have to order them from internet sites. Do not buy this chip! This is one request that you must refuse your son, if you are to have any hope of raising him well.
4. Does your child read hacking manuals?
If you pay close attention to your son's reading habits, as I do, you will be able to determine a great deal about his opinions and hobbies. Children are at their most impressionable in the teenage years. Any father who has had a seventeen year old daughter attempt to sneak out on a date wearing make up and perfume is well aware of the effect that improper influences can have on inexperienced minds.
There are, unfortunately, many hacking manuals available in bookshops today. A few titles to be on the lookout for are: "Snow Crash" and "Cryptonomicon" by Neal Stephenson; "Neuromancer" by William Gibson; "Programming with Perl" by Timothy O'Reilly; "Geeks" by Jon Katz; "The Hacker Crackdown" by Bruce Sterling; "Microserfs" by Douglas Coupland; "Hackers" by Steven Levy; and "The Cathedral and the Bazaar" by Eric S. Raymond.
If you find any of these hacking manuals in your child's possession, confiscate them immediately. You should also petition local booksellers to remove these titles from their shelves. You may meet with some resistance at first, but even booksellers have to bow to community pressure.
5. How much time does your child spend using the computer each day?
If your son spends more than thirty minutes each day on the computer, he may be using it to DOS other peoples sites. DOSing involves gaining access to the "command prompt" on other people's machines, and using it to tie up vital internet services. This can take up to eight hours. If your son is doing this, he is breaking the law, and you should stop him immediately. The safest policy is to limit your children's access to the computer to a maximum of forty-five minutes each day.
6. Does your son use Quake?
Quake is an online virtual reality used by hackers. It is a popular meeting place and training ground, where they discuss hacking and train in the use of various firearms. Many hackers develop anti-social tendencies due to the use of this virtual world, and it may cause erratic behaviour at home and at school.
If your son is using Quake, you should make hime understand that this is not acceptable to you. You should ensure all the firearms in your house are carefully locked away, and have trigger locks installed. You should also bring your concerns to the attention of his school.
7. Is your son becoming argumentative and surly in his social behaviour?
As a child enters the electronic world of hacking, he may become disaffected with the real world. He may lose the ability to control his actions, or judge the rightness or wrongness of a course of behaviour. This will manifest itself soonest in the way he treats others. Those whom he disagrees with will be met with scorn, bitterness, and even foul language. He may utter threats of violence of a real or electronic nature.
Even when confronted, your son will probably find it difficult to talk about this problem to you. He will probably claim that there is no problem, and that you are imagining things. He may tell you that it is you who has the problem, and you should "back off" and "stop smothering him." Do not allow yourself to be deceived. You are the only chance your son has, even if he doesn't understand the situation he is in. Keep trying to get through to him, no matter how much he retreats into himself.
8. Is your son obsessed with "Lunix"?
BSD, Lunix, Debian and Mandrake are all versions of an illegal hacker operation system, invented by a Soviet computer hacker named Linyos Torovoltos, before the Russians lost the Cold War. It is based on a program called "xenix", which was written by Microsoft for the US government. These programs are used by hackers to break into other people's computer systems to steal credit card numbers. They may also be used to break into people's stereos to steal their music, using the "mp3" program. Torovoltos is a notorious hacker, responsible for writing many hacker programs, such as "telnet", which is used by hackers to connect to machines on the internet without using a telephone.
Your son may try to install "lunix" on your hard drive. If he is careful, you may not notice its presence, however, lunix is a capricious beast, and if handled incorrectly, your son may damage your computer, and even break it completely by deleting Windows, at which point you will have to have your computer repaired by a professional.
If you see the word "LILO" during your windows startup (just after you turn the machine on), your son has installed lunix. In order to get rid of it, you will have to send your computer back to the manufacturer, and have them fit a new hard drive. Lunix is extremely dangerous software, and cannot be removed without destroying part of your hard disk surface.
9. Has your son radically changed his appearance?
If your son has undergone a sudden change in his style of dress, you may have a hacker on your hands. Hackers tend to dress in bright, day-glo colors. They may wear baggy pants, bright colored shirts and spiky hair dyed in bright colors to match their clothes. They may take to carrying "glow-sticks" and some wear pacifiers around their necks. (I have no idea why they do this) There are many such hackers in schools today, and your son may have started to associate with them. If you notice that your son's group of friends includes people dressed like this, it is time to think about a severe curfew, to protect him from dangerous influences.
10. Is your son struggling academically?
If your son is failing courses in school, or performing poorly on sports teams, he may be involved in a hacking group, such as the infamous "Otaku" hacker association. Excessive time spent on the computer, communicating with his fellow hackers may cause temporary damage to the eyes and brain, from the electromagnetic radiation. This will cause his marks to slip dramatically, particularly in difficult subjects such as Math, and Chemistry. In extreme cases, over-exposure to computer radiation can cause schizophrenia, meningitis and other psychological diseases. Also, the reduction in exercise may cause him to lose muscle mass, and even to start gaining weight. For the sake of your child's mental and physical health, you must put a stop to his hacking, and limit his computer time drastically.
I encourage all parents to read through this guide carefully. Your child's future may depend upon it. Hacking is an illegal and dangerous activity, that may land your child in prison, and tear your family apart. It cannot be taken too seriously.
Once upon a time two great alliances of nations fought a long and bitter war in a clash of good against evil. Eventually the forces of light won, and all that remained was one small nation led by evil rulers that would not surrender, no matter what the cost to their nation.
In their wisdom, the greatest nation in the forces of light decided that it would be wrong to drag the battle out longer than was necessary and decimate those whose only fault was to have been duped by evil men, and so they got their mightiest wizards to rain fire upon their two of their enemy's cities, and the enemy leaders realised their folly and capitulated at once.
Knowing that prosperity encourages peace, the wise men of the great nation went into the conquered nation and helped rebuild it, letting the people rule themselves and build a future for their nation. In time, they began to prosper thanks to hard work and ingenuity, and eventually they became a mighty trading nation, far surpassing any level of wealth they might have otherwise expected.
Unfortunately the clash of old and new cultures gave rise to value system that neither culture would have been happy with. Indeed, some of these new fetishes were so virulently immoral they could be described as a plague. And like any plague, they could spread far beyond where they were spawned, infecting entirely new cultures unused and unprotected from their effects.
This is a story about one such plague, and how it has reached our shores.
In recent years there has been a growing trend amongst radical youth elements of American society for cultural relativism, the foolish belief that other cultures have something to offer. This is clearly not true, and anyone that cares to take the time to do the research will find that the US is by far the world's greatest nation in terms of any statistic that matters. Unfortunately thanks to the influence of Liberal elements in our once-great education system these individuals choose to turn away from the products our cultures produces and embrace alien ideas that are an affront to God and our Founding Fathers.
In some cases this relativism is less harmful than others; the English culture apes our own enough so that there is little harm to be had. But other so-called cultures are purely and simply alien to morality, and the cultural apologists are nothing more than a group of deceivers intent on the final replacement of Christian moral values with a Liberal credo of immorality and sin.
The worst attack on morality comes in the form of Japanese manga films, which spread a shocking message of immorality under the cover of animation, a cynical move targetting a genre typically aimed at children. These films are supposedly aimed at adults, but a moment's reflection counters this vacuous argument - what kind of grown adult watches cartoons? When we become adults we put childish things behind us, and cartoons, whilst of invaluable aid in entertaining and educating children, are of no use to a healthy adult of sound mind and firm moral base.
Upon my first encounter with this foriegn plague I was shocked at the gratuitous use of violence and anti-Christian symbolism. These films all fall into the fantasy and science-fiction genres (which are little more than a hotbed of paganism and Satanism anyway) and the stories generally involve an epic conflict between the forces of "good," who are typically inbued with obviously Satanic powers, and their enemies, also possessing such powers. Indeed, the only difference being that the forces of "evil" are more obviously demonic in their visages! These two forces engage in megaviolent battles using their Satanic powers, and at the end of an orgy of blood and dismembered limbs the forces of "good" are victorious and undoubtedly retire to give thanks to their evil master.
At this point I was shocked enough. Never before have I seen such a celebration of violence and Satanism, and to see it in a medium designed to entice children had me gripping the edge of my seat in righteous outrage. What kind of sick mind could conceive of such a vicious assault on the kind of decent Christian values that made America the greatest nation on Earth? It was clear to me at that point that this was nothing other than an insidious campaign being waged against our nation's youths, designed to blind them to the Truth and install the Liberal lies of a relativistic paradise where morality is whatever makes you feel good.
And worse yet, it was succeeding! The popularity of manga films has increased over the last decade, and yet few people have realised how many of our nation's children have been turned to the Liberals. I at once decided that something needed to be done about this scourge, and began to engage in an intense bout of research, forcing myself to watch hour after hour of this immoral filth. And slowly, something else became clear. I had been wrong. Very wrong.
No, the real agenda was not the dissemination of psychopathic and anti-Christian messages. These were nothing more than a cover for what these vile "films" were really pushing. It became clear only after watching several of the so-called classics (as if any film made less than fifty years ago could be termed a classic!) that the real agenda was truly Satanic - manga films exist solely to promote the idea that paedophilia is good!
Not content with dominance in the field of consumer electronics, it was now clear to me that the Japanese wished to bring about the downfall of our society by spreading this cancer in our midst, targetting the most naive and vulnerable segments of our population - teenagers and college students.
The evidence for this is clear to anyone not so simple-minded and deluded by a Liberal education. In a cheap trick the perverts that create manga films have stolen their animation techniques from Disney, and given all of their characters the same wide-eyed child-like look of innocence seen in such timeless children's classics as Sleeping Beauty or Snow White. This makes it clear that even when showing supposedly adult characters, they are subliminally referring instead to young children.
Of course it doesn't end here, for like all Liberal filthmongers they know no bounds to their depravity. The characters in these obscenities, especially the female ones, are drawn in a blatently sexual manner, with exaggerated sexual attributes, impossible proportions and disturbingly provocative clothing (when there is any!). Each character has been crafted to act upon the deadly sin of lust, and is an unholy masterpiece of desire. I found myself watching these succubi again and again, mesmerised and unable to comprehend such un-Christian filth.
When you combine the evidence the secret agenda becomes only too clear - that children are sexual creatures, and that it is alright to feel lust towards them. Furthermore, the graphic scenes of violence in manga films are clearly designed to incite violence against children in the furtherance of these foul desires. Clearly it is not only enough to simply instill such unwholesome thoughts in the minds of our youth, they are intent upon inciting violence of a most deviant manner upon our nation's children!
This is against everything that is decent and Christian in the world! It is clearly part of the Liberalist agenda of secular multiculturalism, and part of the drive towards their ultimate goal of One World government ruling over a homogenous, unthinking lower class devoid of the Christian ethics that separate us from savages.
Tomorrow I begin my crusade. If you too share the values that made this country the greatest in the world, I urge you to think of a generation lost to Satan, and to make a stand against the tide of filth lapping at our Christian shores.
The problem does indeed exist in OS9, since the problem is, in general terms, getting the user to download and install malicious software, since there's no way of verifying the authenticity of the update.
Speaking from experience, yes, often times a whole bunch of features are developed and then they sit on it. It makes more marketing sense to release things in increments.
Hard to tell whether this is right or wrong...but at least they released this quickly after the flaw was announced.
you could make a beaowulf cluster of mac security holes
Ah. I too encountered the issue that the checksum didn't match... until I realized I was not checking the .dmg, but rather the .pkg. Make sure you are checking the .dmg and everything should match up. Now of course you have to trust that the checksum is authentic...
The line between terrorist and patriot depends on which side of the molatov cocktail you are on.
It's better that SU looks at checksums of incoming packages, I agree.
But how does it verify the checksums it matches?
If SU is looking up a list of checksums on a web site somewhere, what stops this attack from happening again?
Just set up another spoofed web server that dishes out checksums for bogus packages, and SU thinks everything is okay...
Slashdot is funny. When Microsoft announces a patch for Windows two days after a security hole is found, they get bashed for publishing insecure software.
When Apple fixes a hole five days after acknowledging it, they're praised for being so quick to patch it.
Apple patch! Apple patch! Cinn-a-mon toast-ty App-pple patch! It's fun and tasty but it doesn't taste like Apples! Ask mom to get yours today!
Yes, but can we trust the software update to software update? 8-)
Then they'd have to make a "Software Update Security Hole Patch software update/security hole patch".
I design user interfaces for a free network management application,
people are hypocrites.
I ama homosexual. I boughtan Apple computer because of its well earned reputation for being "the" gay computer. Since I have become an Apple owner, I have been exposed to a whole new world of gay friends. It is really a pleasure to meet and compute with other homos such as myself. I plan on using my new Apple computer as a way to entice and recruit young schoolboys into the homosexual lifestyle; it would be so helpful if you could produce more software which would appeal to young boys. Thanks in advance.
with much gayness,
Father Randy O'Day, S.J.
Here's it's description of the path:
Security Update 7-12-02 delivers a more secure Software Update service to verify that future updates originate from Apple. If you would prefer to download this manually from a secure Apple server you can download the package at http://www.info.apple.com/kbnum/n75304
ALL that this quasi-"hole" came down to was, "Wow! If you download software updates from apple.com over the internet, you are susceptable to man-in-the-middle attacks!" what a surprise. I mean, it's a VERY GOOD THING apple has plugged this, i'm just saying if they hadn't no one would have really been hurt :)
Anyway, though, let's just check: how do the other OSes handle this same problem? Someone in another thread claimed that Windows Update used some kind of "SHA-1" hashing, or something. OK. What about the Unix world? How does apt-get validate the checksums of the "new packages" it receives when you run apt-get update? How does "red carpet" do the same? What about the BSD ports system? When you go to www.solaris.com or www.redhat.com or www.kernel.org, and you see on the news page that there's a big new security patch, and you download it, how do you know that that's real and you aren't just looking at something sitting on a compromised router somewhere, masquerading as those sites?
I am just curious.
Maybe if the government would stop dicking with everyone and intentionally making it difficult to widely implement ssh and scp (scp is the ftp/ssh thing, right?) on a large scale in software projects such as web browsers, we'd have scp everywhere by now, and web browsers would default to https, and the public keys for ftp.apple.com and ftp.microsoft.com and ftp.debian.org would all be logged in the "trusted public keys" files of those respective OSes by default, and this wouldn't be a problem, becuase netscape and internet explorer would give you big warning signs everywhere when the ftp site you are looking at isn't the one you think it is.. and everyone would be just that much safer from being subject to service interruptions because of social engineering.
Do you ever use telnet? Ever?
Do you use insecure POP3?
If either of these things is true, your passwords are flying through unprotected space every time you do either one, and you have no sane reason to complain about apple leaving apple software update with this "hole" for so long. If someone has the ability to exploit the software update "hole" mentioned here, they also have the ability to eavesdrop on all the traffic-- including passwords-- that you create when you do telnet, insecure POP3, or a number of other things.
I'd say the hypocrisy here is that we're considering it a horrendous hole that an apple network application was susceptable to man-in-the-middle attacks, but we're not, as members of the internet community as a whole, looking for ways that we can implement things such as ssh tunnelling or s/wan on a massive scale so that man-in-the-middle attacks can be wiped out at the root of the problem instead of having to be implemented individually in every single application in the universe.
This update also adds the command-line updating tool that comes with Xserve. See 'man softwareupdate'.
This space unintentionally left unblank.
and claim riches uncountable and knowledge untold
Yes, so long as the means of communicating the checksum are secure (i.e., not prone to a man-in-the-middle attack).
Actually checksums have been used for years in order to ensure that a program has not been replaced with a malicious bit of code or modified in any way:
For instance, you want to make sure you haven't been hacked and ls hasn't been tampered with to hide the files? Have an checksum for it stored offsite and/or in a secure manner (encrypt it with a symmetric key and pray that key hasn't been compromised as well) and then compare with what pops up when you look at the file.
The idea is that if the file has changed at all, the checksum is going to be different.
Note though that in order for this to work the means by which you receive the checksum *must* be secure. They can be cleartext (such as in this case), but you must be able to confirm the source of the checksum is who you think it is.
Thus, it would be a poor way for the software update mechanism to operate (since the attacker could send a false checksum) but is okay for something like this.
Integrate Keynote and LaTeX
A hacker now just has to do some more work. Instead of just the DNS misdirection, they now need to create a checksum for their bad/malicious code. The updater will query their fake update server for the now forged checksum and see it matches the fake update package that was retrieved from the same hacked up server.
Even if they automatically get the checkum from a specific IP or set of IPs, all one has to do is create a server with that IP and insert it in the network and get a few routers to change their IP routing tables.
If they use a third party to verify the downloaded checksum is authentic, that server itself is vulnerable to the DNS and IP routing 'man in the middle' attacks.
This just makes the haker's job a little more complex. But if they have privs to alter DNS on a server this is just two minutes extra work. This whole thing is just silly. The initial problem was a non-problem. The solution doesn't provide any substantial obsticle to someone that wants to perpetrate such an attack. There in fact is no solution other than a 1-1 split key system. I generate a public key one time and send it to Apple. They then use that key to encrypt/sign all the updates sent to me. I use the private key to verify/decrypt the update and install it. I know that only Apple has my public key so I can be safe.
The problem here of course is that Apple needs to store potentially millions of public keys on their servers, and use a lot of CPU to do the unique signing/encrypting as people request the updates.
The split key eliminates the man in the middle, as they have no way to get ahold of each user's public key. They can't fake one, and no amount of DNS or IP redirection (other than the initial sending of the public key) will allow them to masquerade as the authentic site.
Article X: The powers not delegated... by the Constitution...are reserved...to the people
A hacker now just has to do some more work. Instead of just the DNS misdirection, they now need to create a checksum for their bad/malicious code. The updater will query their fake update server for the now forged checksum and see it matches the fake update package that was retrieved from the same hacked up server.
Ever heared about public key cryptography? They sign their packages with their private key, and their public key is hard coded in the software. It's not just a checksum, it's a cryptographically signed checksum. It's pretty safe.
To sign a checksum for his bad code, the attacker needs to crack Apple's private key. Which can take a few weeks if you're the NSA, but a few hundreds years if you're anyone else.
1) If you download a package, and for some reason, it doesn't install right off (any kind of error, or even if you're just not ready yet), Software Update FORGETS IT HAS DOWNLOADED IT. This is particularly frustrating when you have just downloaded an 18 MB package over your modem, and you have to do it again.
2) If you download part of a package, of course, it doesn't use any kind of smart downloading process to pick up where it left off. Arg.
3) What is this with everything requiring 300 MB to install 20 MB pieces of software? Sure, that's sneezing space for those of you with 40 GB drives, but some of us are still running mere 5 Gig machines.
Libertarianism is rich wolves and poor sheep playing gambler's ruin for dinner.
The "Installer" application has a bug in which it miscalculates the space required for an update or install. It's a silly bug, but since most new Macs have a hard drive of 30GB or more even 300MB is hardly anything.
-- thinkyhead software and media
For someone to steal a single private key is rather trivial. Getting enough CPU together to brute force the private key is relatively simple, especially for a hacker that has compromised many systems and can easily install a distributed key generator on all of them. As was seen by several recent worms/viruses it would be possible to install such a client of literally tens of thousands of systems. Since you can have both encrypted and decrypted versions of the protected information, checking for a good key is easy.
If, in my method, a hacker was to get hold of a public key or two (or a hundred), only a few people or sites would be affected. All the other keys would not be compromised. The risk of wide-spread corruption is almost nil. A hacker would need to get the account information and the account's encrypting key before a successful redirection would work and install the modified code.
Apple already has the infrastructure of the iTools system for storing the private keys for each site/user/system and for the authentication for updates. The only thing that would remain is to be sure they have enough CPU power to to on-the-fly signing for each request. This is the scenareo I see: Create a public/private key pair using an Apple supplied utility (or GPG) Log in to iTools and send them the public key (using SSL) later: SWU queries Apple for any new packages If packages are available, SWU sends the iTools account info (using SSL) Apple retrieves your public key and uses it to sign the appropriate packages SWU retrieves the signed packages and verfies them against your local private key If they pass muster the packages are installed. Many people will say the single signer model is safe enough. That may be true, but don't for a moment think that it actually eliminates the risk of wide-spread distribution of fake updates. The multiple signers model does.
Article X: The powers not delegated... by the Constitution...are reserved...to the people
doesn't seem to be compatible with the 10.1.3.1337 update that came out yesterday :(. in fact, all my programs don't launch anymore. not even aol.
When Microsoft has an auto-update for XP, you bash them.
You mean lets say they took over distributed.net and had around 28,149 (or more, since this was the active number of participants in rc5-64 yesterday, who could have multiple machines) machines trying to crack said keys. Lets see, they have been working on rc5-64 for 5 years now... Putting in some estimation for moore's law, lets say it would take 2 years starting now. So lets get it done in a 3 months period then we need 8 times as many machines. That means at least 160,000 compromised machines all contacting unknown network addresses over three months. If that is not noticed, that is one hell of a hacker. And thats assuming that Apple used something with an outdated keyspace thats only about as large as rc5-64.
In other words, yeah, it might not be the safest option out there. But its safe enough for me.
I think you underestimate the difficulty of brute-forcing RSA-style keys... RSA-129 (which is about 426 bits long) took 1600 computers 8 months to factor back in 1994. That was the part that could be distributed over multiple machines. Then it took a supercomputer with 16384 processors 45 hours to solve the 4GB matrix that came out of the distributed part of the process.
It's not gonna be a piece of cake to crack the 1024 bits keys that are the minimum people use these days, even if you do have tens of thousands of machines to do the distributed part. And after you're done with that, where are you gonna get a computer that can solve a multi-gigabyte matrix in a reasonable amount of time?
The real truth of the matter is that it's not Apple who gets a free ride here at Slashdot - it's Linux. Usually when a Linux distro is patched/updated the story on the front page ( and it's always on the front page) usually includes the word "drool" and at least one exclamation point. Apple takes their lumps here same as Microsoft. Worse in many ways because more than half the people here are at least dual-booting a MS OS. Almost none are using an Apple one. But when do the Linux guys get criticised here? About anything?
And just for the record.
You like your Macintosh better than me, don't you Dave? Dave? Can you hear me Dave?
Article X: The powers not delegated... by the Constitution...are reserved...to the people
If you need to report a security problem to Apple, there are instructions on the Apple Product Security page.
It boils to an email to product-security@apple.com. Encrypt sensitive information using Apple's product security PGP key, key ID 0x44E85F68, fingerprint AE43 8996 9250 78A6 D587 3CA8 2165 60D7 44E8 5F68.
Although PGP for Mac OS X is sadly still in suspended animation, others have mentioned the availability of MacGPG and related tools, which are perfectly suitable for PGP, including rudimentary integration with Mail.app.
Well, softare update is now available from the CLI:
...]
Welcome to Darwin!
[jupiter:~] root# softwareupdate
Software Update Tool
Copyright 2002 Apple Computer, Inc.
Your software is up to date.
[jupiter:~] root#
Also, the man page for software update says you can install (a) specific update(s) by name, by softwareupdate [item
Interestingly, it must be run as root, though Software Update via System Preferences only requires an Administrator's password -- this could just be because it sudo's, as an admin *can* sudo... Also, it was written (the CLI tool, or at least the man page) on May 2, 2002.
One cool new thing in the Software Update Security Update... it adds a file to /usr/sbin/ called softwareupdate. Looks like darwin users may soon be able to keep upt odate as well
An example (maybe a bit exaggerated):
...
/.)
Several bugs have been found in some versions of Linux and one in BSD:
Linux: Day one: New patch fix for kernel blah.blah released.
Day one cont.: Another patch released
Day three: Two more patches released; Everything fixed.
Major press releases: A few.
People's general response: Yay what's new.
Mac: Day one: Nothing
Day two: Nothing
Day five: Patch released within 5 days omfg!!!
Media coverage: Everybody and thier dog knows (esp. thanks to
People's general (and much intended by the media) response: omg Apple rulez compared to microsoft i'm so glad apple exists otherwise i'd have viruses etc. blah blah terrorists could blah blah blah.........
Is it just me or does anybody think that a proprietary OS is a proprietary OS is a proprietary OS is a proprietary OS.......... How is apple any better than microsoft? Ok, maybe more deceptive and subtle, i'll give you that...
Anyone who can put a trojan on the site can also put a bumb SHA1 on it. Why doesn't Apple use PKI?
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
I appreciate, even though it is probably coincidental, that Apple did NOT attack the press for reporting this hole before they had a chance to plug it. It has been a reasonably quick, mature response. Unlike another company that we all know that seems incapable of fixing holes without having a go at all "enemies" on the side.
Your pocked must be saturated with urine. Well done. I suppose you want us to notice that you're not a hypocrite, and I suppose you're trying to extract attention and accolades for your superior moral stance. Well, once again, congratulations. You're our hero. foad kthx.
at any rate, the reason for microsoft getting panned for issuing a patch two days after the vuln is "reported" is because THEY SIT ON THE FUCKING VULN REPORTS FOR WEEKS, RETARD. They only leak the vuln as soon as their patch is ready, which is weeks after THEY'RE TOLD ABOUT IT.
not impossible, if you're the nsa (or can they?), or can throw millions of teraflops at the job (this equates to being able to throw billions in cash btw). other than that it is impossible, not even mass distributed computing will do it before the key in question expires (bear in mind that apple has their keys expiring after a year).
Had to remove critical updates to keep XP from locking up on me.
However, I would have thought that would be standard practice in this day and age, most everything else done by major companies has some sort of cryptographic signature in this sort of context...
XML is like violence. If it doesn't solve the problem, use more.
You're seperate-key-for-everyone idea is fucking retarded. Even if apple had everyone's public keys and encrypted it to them, so they could download and decrypt it, they'd still need to sign it with their private key. Encryption isn't the issue; it's the signature verification that matters. Even if everyone (stupidly) had to send public keys to apple, apple would still need a master private key to sign with, and they'd still need the corresponding pubkey to be distributed with softwareupdate.
It isn't hard to use 4096bit keys (not sure if they do), but even smaller sizes are still practically impossible to break. REgardless of NSA technology, simple physics keeps them from brute forcing keys. The energy it would take to flip that many bits is astronomical.
Apple could easily guard the secret key by keeping it (a) well backed up in safe offline locations and (b) keeping the copy they use on an offline machine, and manually transfering the data to be signed on and off using physical media. Extreme, but secure.
You either don't "get" the concept of signing, or your trolling. In either case, fuck off, mate.
While this is a valid point, I doubt it poses a plausible threat in this particular case, primarily because public key encryption is so widely used. If anyone wanted to spend enormous amounts of resources to crack such keys, the chances are, they won't be going after Apple's Software Update servers and it's relatively small number of clients.
The same has been seen with viruses. It's not necessary that viruses and worms are more difficult to write for Macs (although thay may be the case), but a simple matter of economics. Why write a virus that would, at most, infect 2-4% of the world's computers when, for the same (or less) effort, 90% of the world's computers can be targetted?
---
Open Source Shirts
Good point. But that could also be said about the initial 'problem'. If someone where going to do a MiM attack via DNS spoof, why would they target Apple and not Microsoft, or Adobe or Id(or whoever makes the latest game).
I think the problem with your statement though is that it qualifies as security by obscurity. Claiming relative safety because of a relatively small size is just bad voodoo.
As for the cracking issue, I'm be far less worried about someone cracking the cipher than I am someone emailing it out of the building, or someone hacking in and downloading it.
Article X: The powers not delegated... by the Constitution...are reserved...to the people
> Ever heared about public key cryptography?
This raises an interesting point (though one that goes a
bit off topic for the Apple update): What happens when
some math grad student discovers a generalised way to
determine a private key given the corresponding public
key? Just something to think about.
Cut that out, or I will ship you to Norilsk in a box.
We can all throw out our frequent-flyer cards and starting riding pigs transcontinentally...