Unsanity Developer Comes to APE's Defense

beelsebob writes "Rosyna, the famously tellytubby-like Unsanity Developer has spoken out in the defense of their Application Enhancer (APE) framework. The framework has taken a beating since it came out, being accused of being spyware, or of crashing computers. In fact Unsanity have only received one bug report about APE itself, which was promptly fixed. The article is a very good defence of the product, and a very good read."

Re:Extensions for Mac OS X

[moof1138]

Hmmm... check one for didn't read the key point of the parent post: "it inserts code into every running program. Blindly."

That is the point that Rosyna didn't touch in his article. He just pretends that since it is the particular module's code that is injected and not APE Framework that this is somehow okay. If you think it is acceptable to let essentially arbitrary code be injected into every running application, that is your business, but critics are right to point out that it is a security nightmare, and it will destabilize all apps on the system by design.

Rosyna pretended that since there was one bug filed against the APE framework that this means that it would not destabilize apps. But no apps were not designed to have additional code injected into them via APE, and most were generally not tested in that environment. The behavior of the framework is the issue not the fact that the framework and daemon itself are stable.

Re:mod parent down!

[ahknight]

Why would I not say that just by reading a man's opinion? You do realize that's what the "article" is, right? His opinion. His whole point is because the APE modules cause the crashes that the idea of APE is a good one. It works like OS 9 extensions at a fundamental level, only for programs. It's begging for a crash. Indeed, it does. Often.

I support Macs for a living. APE is banned. Every single time we have chronic problems on a Mac, we trace it back to someone using Shapeshifter or some other hack. Does it mean APE is buggy? No, it means it's a bad idea. Unsane, if you will.

Re:Extensions for Mac OS X

[moof1138]

Interesting that you bring up protected memory. In a way APE defeats the purpose of protected memory since it injects code into every running application. Here is the scary part about what that means - once someone has APE running all haxies can poke around anywhere they want in any running apps memory space, so they can know every application password used, they can read anything out of your keychain that an app is allowed to read prompting you on behalf of the app for the keychain password, and so on. APE is a serious security nightmare. I have no reason to think that this has been exploited as yet, but installing APE opens the door for the abuse, especially if you are running closed-source haxies.

While there are no known cases of APE based spyware at this point, APE could potentially be exploited a very effective vector for spyware (and viruses).

Well.. I'm interested

[slughead]

I bought a TV tuner card recently and the software included uses APE. I also own windowshadeX (which is better than exposé in a lot of ways)..

Somewhere in their code, Unsanity does include spyware for WSX, I'm not sure if it's WSX or APE, but it's in there somewhere. Me and Rosnya (why does he pose as a russian female?) debated whether or not Unsanity was breaking the law by not telling anyone about their spyware.. (despite what he tells you, he's wrong).

If it were anyone else, I'd probably say this long drawn out PR was just a bunch of cover-their-ass crap, but Unsanity is a good group of guys and until Windows trips over its big fat ass and Apple takes over, we need all the skilled developers we can get. In addition I know this particular redheaded weirdo who calls himself Rosnya, and though he is capable of doublethink, he's not a liar, and I for one now feel relieved that I have one less base to cover when debugging OS X.

Re:Well.. I'm interested

[beelsebob]

1. Rosyna doesn't pose as a russian female, she poses as a tellytubby.
2. Windowshade X is not spyware, and I'd love to see you prove it is with some packet monitoring software as Rosyna suggests in the article
3. Unsanity isn't breaking the law by not telling anyone about their spyware, because they don't give out spyware.

Bob

Re:Extensions for Mac OS X

[rixstep]

critics are right to point out that it is a security nightmare, and it will destabilize all apps on the system by design

This is correct. Some people know the Mac, but few people know Unix. Ken Thompson, one of the fathers of Unix, said emphatically:

Keep your hands off the drivers.

The whole idea of Unix is not only security but respect - a respect that enhances security.

The very thought that code in a 32-bit protected mode system would be able to do things like this - correct me if I am wrong, but APEs require your administrator password, right? That means that even though they are 3rd party code they want to go where they have no right going.

APEs and everything like them depend on 'hacks' as their name implies. They're going to break easily as what they're doing is not officially supported by the operating system, and yes they are dangerous.

I would also like to cite a few pieces of the Unsanity article.

It is installed in /Library/Frameworks/ like a good framework should be.

This is patently not true. Good frameworks should be installed in ~/Library/Frameworks, your own directory. The directory Unsanity chooses automatically affects all users on the same machine.

Another directory exploited is /Library/Application Enhancers - again, this is an area which affects all users on the same machine. The fact that Unsanity use daemons also points to all users being affected by what one user wishes to do, and preferably in user mode.

One of my favourites is:

Since Apple does not provide a way (other than with kernel extensions) to change the behaviour of different applications, we had to engineer one on our own.

Oh wow. Perhaps - just perhaps - Apple did not provide this for security reasons? And comparing an APE with gdb is just silly: gdb is meant to be used in testing, not on secure stable end user machines.

I also note the following:

They do not break down the barriers of protected memory.

Ah - let me just say that without a more technically substantial run-through, most of us are going to remain unconvinced. And it's fairly obvious, at any rate, that barriers somewhere are being broken down.

Finally, I don't think APEs are spyware, but I get what the complainers are going on about: they feel uneasy because they know there's something 'illicit' going on in their systems.

Remember what Ken Thompson said. Unix didn't get so far and do so well because Bell Labs specialised in application enhancers. Keep your hands off the drivers, and keep your hands off software that won't keep its hands to itself.

If the software isn't coming from Apple and still wants your administrator password, reject it. That software has no business going into areas of your disk where it doesn't belong. That is your security involved.

A good example of what can happen is Interarchy. It wants your adminstrator password and then leaves about 1.5 MB of junk in areas even you can't ordinarily get to, and all without telling you. That's what these freaks find tantamount to 'spyware': 'illicit' things going on in your machine, without your express approval.

If you can't make the operating system work better, write to the vendor (Apple). Don't do anything yourself. If you want apps on top of the operating system, fine - just play by the rules.

I suspect the Unsanity programmers are very good at what they do, but what they're doing is definitely not Unix. Not even close.

In support of Unsanity

[John+Siracusa]

You can take my Haxies from me when you pry them from my cold, dead hands.

Yes, it would be better if Apple provided clean(er) hooks for things like Windowshade and FruitMenu. But they don't, and I'll take Unsanity's implementations over nothing at all and day of the week and twice on Sunday. They make my computing life so much better that they are, by far, the best investment I have ever made in software, dollar for dollar (I bought when they were $7 too :-)

Lots of "code that you didn't write" runs in your application's process space. I don't see how Apple or the DivX guys or anyone else are any better or more trustworthy than Unsanity in this regard. If a QuickTime plugin causes a crash, disable it. If an APE Module causes a crash, disable it (or exclude that app using APE Manager). IMO, Unsanity's record is impeccable thus far, and they are certainly a lot more responsive than a big company like Apple.

Yes, being a developer is hard. Sometimes you have to debug problems caused by other people's code. Sometimes new versions of the OS break your app. How dare those users upgrade their OS! How dare they install software that runs in your process space! Sorry, but that's the right of the user.

If you want to blame anyone, blame Apple for not providing "nicer" ways to do the things that so many users so obviously want to do. Unsanity would have been out of business long ago if there wasn't a real demand for the services they provide--despite the particular way they are forced to implement them.

Re:In support of Unsanity

[John+Siracusa]

I don't see how Apple or the DivX guys or anyone else are any better or more trustworthy than Unsanity in this regard.

Do you really not see how Apple is better in this regard? It seems unlikely that anyone could be that thick, but I'll give it a go:

Apple uses talented programmers, has a QA department, doesn't allow commits without thorough code reviews (or at least, didn't in my department when I worked there), and tests in a multitude of different environments. Plus they have guidelines for acceptable programming.

...and yet Unsanity has yet to produce an installer with a novice-level bug (improper quoting in a shell script) that could cause entire disks to be erased (iTunes installer, I forget the version...remember that one?)

Everyone creates bugs. My point was that many kinds of "foreign code" is running in other applications' address spaces: QuickTime plugins, InputManagers, Contextual Menu Plug-ins, and so on, all written by many different kinds of developers and organizations, none of which are inherently inferior or superior to any other, in the aggregate.

And some people, people with an attitude like yours, will find some way around my safeguards, and then will still send me crash logs with APE in them and expect me to fix them.

A crash log with "APE in it" does not necessarily mean that an APE module caused the crash. Anyway, if you did get such a crash log, it's your choice to ignore it or not. But if 90% of your customers are running APE because they all want to use Windowshade or whatever, that's just a reality of the market. Cursing it and turning your back is not going to win you any new customers.

If I ever release any of the Cocoa apps that I whipped up for my own use to the general public, that's probably what I'll do. I don't see any compelling reason to release them right now... it would take dozens of hours of polishing, and then some sort of a volunteer beta program, all so that 0.1% of my users can send me $10 and 80% of my users can expect me to fix my bugs for them even though they haven't paid me. (I'm not a big fan of cripple-ware.) Add haxies (which I've run afoul of before, when I was doing contract work) and their ilk to that mix, requiring me to fix OTHER PEOPLE'S BUGS for free, and you'll probably never see my apps out there. They work for me, and that's all I need.

Yes, it's quite a hardship creating software for use in such an "impure" thing as the real world... ;)

.If you don't like Mac OS X's user interface, you don't have to use it, but the last thing you should expect is good support for changing it.

Why shouldn't I expect OS support for something a lot of people want to do? From the article comments:

Apple should provide a way to do the things that the most popular haxies do (Apple menu customization, window minimization plug-ins, etc.), without resorting to "universal code injection." [...]

By providing clean hooks for commonly desired functionality, Apple can substantially decrease the demand for and usage of APEs (and other, worse software that, say, actually modifies your system files).

But the demand for APE-like thingies will never be eliminated entirely because there is a large class of things that users want their computers to do that, by definition, affect every running app. Themes are just one example.

The most constructive course of action for Apple is to recognize this fact and try to come up with a way to allow such software to be created as safely as possible. Thus far, Apple has tried to discourage and prevent such software, but attacking the supply side is not the answer. First, recognize the demand, then try to provide for it (or allow others to

Bang head here...

[dpbsmith]

OK, so the problems are not in the APE framework, but in the modules that run under it. However, the framework is useless without modules to run under it. The equation is clear enough: install haxies and incur a significant risk of problems. The benefits may, in a sensible person's mind, outweigh the risks, just as was true of extensions in OS 9 and TSR's in MS-DOS, but the risks are not negligible. To say that they don't matter because they're not the fault if the APE framework itself is silly.

Please spare me the enthusiasts for whom no failure is ever the fault of the object of their enthusiasm. For example, Windows advocates who insist that bluescreens don't count because they're caused by "drivers," while ignoring the fact that you needed to install drivers to get your display hardware/Adaptec SCSI card/whatever to work.

True story. Circa late seventies. A friend was praising his NorthStar computer to the skies. I asked if it was reliable. He said it had been 100% reliable and he'd never had any problems at all. I asked him to demonstrate it to me. He said, "Oh, sorry, I can right now, the power supply burned out and I'm waiting for a replacement." I said, "But I thought you said it was 100% reliable." He replied, "The computer works fine--it's just the power supply that's out."

Re:Oh Joy!

Carbon's not going away, just like stdlib. Claiming that they're "equal" is just silly, though.

No matter how much work apple puts into exposing C APIs for new funcitonality, the long and short of it is that doing any given task in carbon will ALWAYS be far more work. Sorry, that's just the nature of the beast.

why?

Well, can somebody explain why OSXVNC's GUI portion refuses to function due to APE? The developer seems to think that the blame lies at the door's of Unsanity, and I sure as hell can't get the GUI part of it to work for more than 5 minutes.

Why is that?

http://www.redstonesoftware.com/osxvnc/OSXvnc.ht ml

AbiWord, Firefox, TextSoap crash only with APE

[ankhank]

I tried Paranoid Android 1.2; accumulated immediate crashes from AbiWord and TextSoap, when doing anything involving a large block of text between them, whether by drag'n'drop or copy/paste.

Removed APE, rebooted, problem gone.

Reported to developer.

Last time I tried APE, a year ago, similar problems persisted til I removed it. Reported it then too.

Re:Extensions for Mac OS X

[allgood2]

>>The very thought that code in a 32-bit protected mode system would be able to do things like this - correct me if I am wrong, but APEs require your administrator password, right? That means that even though they are 3rd party code they want to go where they have no right going.

OK. According to the Apple software specifications, any application that follows Apple's guidelines should request an Admin password, insuring that the user is authorized to install applications onto the system. Technically speaking, I have more of a problem when installers DON'T ask for a password, since it means anyone could have installed it on my system, something I expressly do not want.

>>It is installed in /Library/Frameworks/ like a good framework should be.

Unsanity haxies default to a single user, and provide the option of selecting for ALL users on the system, as part of the installer. I would imagine she was just being lazy and referring to 'all' modifiable /Library/Frameworks, rather than specifying both.

>>security
I'm certain someone with enough skill and time could hack APE and take advantage, but as it stands, to install a haxie using APE, the developer must first register their haxie with Unsanity. So its not currently as if I could just script something, take advantage of APE and then perform malicious tasks.

APE is EVIL!!!

[WiseWeasel]

I'm a part of several independent software development projects (on the PR side, mostly), and can vouch that APE is a piece of shit, and should not be installed by anyone who cares about stability and data integrity. When users get crashing problems and send us their crash logs, APE modules are usually to blame. As such, we just tell our users that we won't support them as long as APE is installed, and get them to uninstall it whenever we see it active in logs users send us. We might even have to add code to our app to prevent it from running if APE tries to insert its threads in our app's memory. I sincerely hope that Apple makes this kind of software impossible by preventing arbitrary third party code from being inserted into apps' protected memory (with explicit exceptions for valid plug-ins, of course). I don't care what Unsanity says, they're full of crap. APE has got to be the #1 source of crashes on MacOS X. Congratulations, Unsanity, for millions of dollars worth of lost work and time. I say we get the torches and rope!