Slashdot Mirror
Unsanity Developer Comes to APE's Defense
beelsebob writes "Rosyna, the famously tellytubby-like Unsanity Developer has spoken out in the defense of their Application Enhancer (APE) framework. The framework has taken a beating since it came out, being accused of being spyware, or of crashing computers. In fact Unsanity have only received one bug report about APE itself, which was promptly fixed. The article is a very good defence of the product, and a very good read."
All APE does is recreate the problematic Extensions architecture of Mac OS 9 with Mac OS X. You know, that architecture we wanted to get away from....
It inserts code into every running program. Blindly. This is somehow defendable on any level?
I can't seem to reach unsanity.org.
and last time I heard.. nobody put a gun to your head to install it. -- this sig withheld for environmental reasons
savethedollhouse.com
I still can't stand their names.
The company name, PLEASE! Unsanity? Come on.
Haxies, what are we? 3? Come on, im not going to install something that a crazy mommy and daddy think their 3 month old infant burped up with its dinner.
I feel insulted that they would dare make their own name for a method of changing MacOS that's been around for decades. To top it off their explanation for the term is a pure insult to my intelligence.
Infact I think the MacHack Conference changed its name just because it was insulted by the name "Haxies". MacHaxies Conference *COUGH*
Insightful!? He didn't RTFA! But neither did the jerk of a moderator, so who's the real culprit? Propose a new word: jerkmod.
Maybe someone could explain the enigmatic "tellytubby-like" comment? Like, please don't say something like that and just assume everyone knows what the funk you're talking about? Like, especially when a google doesn't enlighten?
LIKE, YOU KNOW???
#19845
...we find that no one cares about this topic. Thirteen posts, all scored 1 or lower -- this must be a record for disinterest!
--
Don't like it? Respond with words, not karma.
..of a very bad idea.
This is the key point that Unsanity is missing. We removed trap patching (as a supported extensibility mechanism) and all the insanity that goes with it in Mac OS X for a reason. That shit destablizes everything. - a former Carbon developer at Apple
A lot of this came about because of the rash of URL handler exploits in Mac OS X recently.
u rity_update
In the mad rush to secure Mac OS X, two groups emerged. The Paranoid Android (based upon APE) and the RCDefault/More Internet side.
Unsanity (makers of PA) had a incomplete product at first that could not keep up with the rapid new discoveries. It was designed to check the URL handlers for you for suspicious behavior, problem was it didn't cover all the URL handlers.
v 1.1 was no good and finally unsanity came out with v 1.2 which covered them better.
Now on the other side of the camp is the RCDefaultApp and More internet crowd, which schooled people to turn off/reassign the URL handlers themselves with a very easy to use program.
Their argument was that one didn't need to install a "haxie" (in their own words) "injects code in all your programs" &
"they do their thing by violating the boundaries of protected memory."
http://daringfireball.net/2004/05/help_viewer_sec
Either way, I'm glad the Mac community turned out in force to solve these problems in a jiffy, Apple should be ashamed of themselves, being warned over 4 months ago about them.
If using Paranoid Android was the only option to prevent these exploits, I'm sure everyone would be happy using it. But it seems to me just disabling the URL handlers manually until needed or reassigning would have been a better option.
I'm glad we had a choice, so kudos to both and thanks.
I bought a TV tuner card recently and the software included uses APE. I also own windowshadeX (which is better than exposé in a lot of ways)..
Somewhere in their code, Unsanity does include spyware for WSX, I'm not sure if it's WSX or APE, but it's in there somewhere. Me and Rosnya (why does he pose as a russian female?) debated whether or not Unsanity was breaking the law by not telling anyone about their spyware.. (despite what he tells you, he's wrong).
If it were anyone else, I'd probably say this long drawn out PR was just a bunch of cover-their-ass crap, but Unsanity is a good group of guys and until Windows trips over its big fat ass and Apple takes over, we need all the skilled developers we can get. In addition I know this particular redheaded weirdo who calls himself Rosnya, and though he is capable of doublethink, he's not a liar, and I for one now feel relieved that I have one less base to cover when debugging OS X.
Latewire
If you don't like it, don't use it. Plain and simple.
Some of us, for example, route audio from different applications to different places; when I play music or games, it comes out through my audio system and the amplified speakers - when an e-mail dings at me, it comes out through an internal speaker.
Haxies like Detour, which provide real, interesting function, which is useful for any pro-audio guy with a lot of very loud audio hardware that you don't want system beeps playing over, is fundamentally interesting - moreso if you've got more than one set of audio outputs.
So, before people go off badmouthing how awful it is, they should think twice: that same code injection technology enables everything from Shapeshifter to reskin your UI to useful functions like being able to reroute your audio away or into your pro-audio equipment on an application-by-application basis.
In other words: despite everyone's nasty opinions, it provides a useful service to those of us with unusual requirements of our systems.
-- A mind is a terrible thing.
Another Carbon Framework.
Let's hope after WWDC people see the trend of less Carbon and more Cocoa that Apple is committing to, now and the long-term.
Don't think that APE is a security nightmare on its own. Sure, it provides means by which to inject code into programs that were launched after the code injector became present, but that's not a unique ability. Technically, any daemon can inject code into a program as it is being launched. The APE framework is not doing anything more than calling existing (but undocumented) APIs used in debugging Mac OS X. APE modules cannot poke around into any program they wish, they may only poke around in the applications in which they have been told to reside (something YOU have control over). They may not touch any other program. Sure, you can call APE a bad idea, and yes it can crash applications or spy on the user, but not more than any other piece of malware could, entirely separate from APE.
You can take my Haxies from me when you pry them from my cold, dead hands.
:-)
Yes, it would be better if Apple provided clean(er) hooks for things like Windowshade and FruitMenu. But they don't, and I'll take Unsanity's implementations over nothing at all and day of the week and twice on Sunday. They make my computing life so much better that they are, by far, the best investment I have ever made in software, dollar for dollar (I bought when they were $7 too
Lots of "code that you didn't write" runs in your application's process space. I don't see how Apple or the DivX guys or anyone else are any better or more trustworthy than Unsanity in this regard. If a QuickTime plugin causes a crash, disable it. If an APE Module causes a crash, disable it (or exclude that app using APE Manager). IMO, Unsanity's record is impeccable thus far, and they are certainly a lot more responsive than a big company like Apple.
Yes, being a developer is hard. Sometimes you have to debug problems caused by other people's code. Sometimes new versions of the OS break your app. How dare those users upgrade their OS! How dare they install software that runs in your process space! Sorry, but that's the right of the user.
If you want to blame anyone, blame Apple for not providing "nicer" ways to do the things that so many users so obviously want to do. Unsanity would have been out of business long ago if there wasn't a real demand for the services they provide--despite the particular way they are forced to implement them.
The gay thing about Rosyna's little rant is that it doesn't address my number one complaint with APE; that is slows the system down. And the more modules you add the slower it gets. Unsanity has publicly admitted this in the past.
Rosyna didn't address it because he can't address it; this is a fundamental problem with APE, and it's the reason why I don't (and won't ever) use it.
In short, APE is crAPE.
OK, so the problems are not in the APE framework, but in the modules that run under it. However, the framework is useless without modules to run under it. The equation is clear enough: install haxies and incur a significant risk of problems. The benefits may, in a sensible person's mind, outweigh the risks, just as was true of extensions in OS 9 and TSR's in MS-DOS, but the risks are not negligible. To say that they don't matter because they're not the fault if the APE framework itself is silly.
Please spare me the enthusiasts for whom no failure is ever the fault of the object of their enthusiasm. For example, Windows advocates who insist that bluescreens don't count because they're caused by "drivers," while ignoring the fact that you needed to install drivers to get your display hardware/Adaptec SCSI card/whatever to work.
True story. Circa late seventies. A friend was praising his NorthStar computer to the skies. I asked if it was reliable. He said it had been 100% reliable and he'd never had any problems at all. I asked him to demonstrate it to me. He said, "Oh, sorry, I can right now, the power supply burned out and I'm waiting for a replacement." I said, "But I thought you said it was 100% reliable." He replied, "The computer works fine--it's just the power supply that's out."
"How to Do Nothing," kids activities, back in print!
Well, can somebody explain why OSXVNC's GUI portion refuses to function due to APE? The developer seems to think that the blame lies at the door's of Unsanity, and I sure as hell can't get the GUI part of it to work for more than 5 minutes.
t ml
Why is that?
http://www.redstonesoftware.com/osxvnc/OSXvnc.h
APE, along with an older version of ASM (the MenuCracker part specifically) on 10.2 caused the finder to quit and restart repeatedly ad infinitum. I removed all modules, still caused the problem. removed APE, the problem stopped. Spoke to him about it, he denied it was the cause, but it's hard to deny.
He can say what he wants, but APE does things it's not "supposed" to be able to do, and this can cause conflicts. I've removed all "hacks" and I haven't had any trouble since.
It can only reassign existing ones. How will it protect you from spam:// URL handler registered by opening an ftp URL? Since the problem is in a shared library, it's only logical to use fix it by injecting code into every process. Just like for other things haxies are doing, like global UI changes.
If you can't make the operating system work better, write to the vendor (Apple). Don't do anything yourself.
Come on, Apple was contacted in Feburary about URI exploits and didn't do anything until now. Should I just sit, do nothing and invite "software" that will really break down my protection barriers or should I download a fix that works in the only possible way - by patching existing software.
As for other haxies like UI skins - well if it's your personal machine, the defaults hurt your eyes and you are willing to accept some risk of instability, go for it. If your Mac is supported by other people, well they might uninstall your skin haxies if you get unusual crashes. But they should leave this one in until Apple has a fix.
They are one of nicest "companies" I met so far. I am only 5 month mac user, I mailed them about a program of theirs (theme thing) and how much time it will be supported on Jaguar (osx 10.2) and one of the coders gave me answer with all details.
Its nothing I am used in PC world (windows) or Linux.
Tried to delete the first bit of this but apparently I missed. So I end up responding to the same part of a post twice. Teach me not to proofread.
Well, what I wish it would teach me is to get a sufficient amount of sleep. But that doesn't seem likely right at the moment.
-fred
Sign #11 of Slashdot overdose: You see the phrase 'moderate Republican' and you wonder if that would be a +1 or a -1.
I tried Paranoid Android 1.2; accumulated immediate crashes from AbiWord and TextSoap, when doing anything involving a large block of text between them, whether by drag'n'drop or copy/paste.
Removed APE, rebooted, problem gone.
Reported to developer.
Last time I tried APE, a year ago, similar problems persisted til I removed it. Reported it then too.
I'm posting now from a completely fresh install of Mac OS X because these vunerabilities have been "in the wild" for quite some time. Time enough for keystroke loggers and and other nasties to be installed in supposely the most secure operating system available.
I have my RCDefaultApp installed and disabled all my unused URL handlers, some folks go as far as reassigning to a rarely used application that pop's up in front of their face, thereby warning the user that a exploit has been attempted. This way a alarm can be sent out about a particular web site.
Since we cannot prevent the exploits, we can halt the program is uses to do damage.
I have considered Paranoid Android, problem is I hear it can be tricked, all a malicious person has to do is download PA and test it's defenses in the safety of their own home.
With RCDefaultApp, a malicious person has to take a chance distributing the exploit hoping one didn't reassign their URL handlers, so I think this approach is a better measure of security. They have to expose themselves to see if their exploit works.
Also I also installed Little Snitch, (there are "other" exploits which can intiate a download), which monitors all outbound network traffic and halts it for my review.
And Apple, don't even think about charging for "Tiger"
Personally I think APE is useful. It does pose a security threat though. APE needs to require a password before activating new modules so a malicious module can't load on its own.
As far as Unsanity as a "company", I greatly dislike them.
Most of their software is "Whine and bitch until you give me money - ware". Shapeshifter flashes the screen and puts large letters on the screen that ask you to register ( at short intervals even ).
It did that ( while I was playing a game ). the huge image with a alpha map renders slow.. Therefor I died in the MMORPG I was playing.. Thanks.
Their prices are OK.. Although a bit high for a "toy". I call it a toy because, would you use this on a computer you do *any* work on? Most of them are small changes that aren't complicated like the uh font module whatever its called.
I got sick of the whole deal and deleted APE...
Talent hits a target no one else can hit; Genius hits a target no one else can see.
you may want to look at Jack and Soundflower too.
[|]
I'm a part of several independent software development projects (on the PR side, mostly), and can vouch that APE is a piece of shit, and should not be installed by anyone who cares about stability and data integrity. When users get crashing problems and send us their crash logs, APE modules are usually to blame. As such, we just tell our users that we won't support them as long as APE is installed, and get them to uninstall it whenever we see it active in logs users send us. We might even have to add code to our app to prevent it from running if APE tries to insert its threads in our app's memory. I sincerely hope that Apple makes this kind of software impossible by preventing arbitrary third party code from being inserted into apps' protected memory (with explicit exceptions for valid plug-ins, of course). I don't care what Unsanity says, they're full of crap. APE has got to be the #1 source of crashes on MacOS X. Congratulations, Unsanity, for millions of dollars worth of lost work and time. I say we get the torches and rope!
"I like systems, their application excepted", George Sand (French)
this article is pointless and dumb.
I would appreciate it if this comment would be moderated to +5, insightful, but I will also accept +5, funny