Re:You can't man a .app look like a .jpg in OS X
on
First Mac OS X Virus?
·
· Score: 1
This has been done for a while - I thought that any application with a dot in the name (other than the terminating.app) should show up as try.jpg.app - precisely to avoid this scenario from happening.
In fact, it's not everything. I created an app, and renamed it test.jpg, and it stuck.app on the end. Same with.txt.doc.dmg.exe.avi.mov and whatever else I could think of.
When i tried with.xxx it stayed as.xxx - i.e. OS X didn't add the.app suffix, but then if you're expecting a.xxx file to be a document, you might well be disappointed!
Sounds reasonable to me - any registered document type cannot be used as the last characters on a file name for an application...
Of course, as other posters have pointed out you can use the old OS 9 'Creator/Type' codes to create a runnable application without a.app extension. Not sure what happens then...
Don't forget, there's nothing to stop me telling you to download this new whizzy P2P software, and when you unzip the archive it's a shell script saying 'rm -rf/' or (if you don't want the password prompt 'rm -rf ~'. Doesn't make the platform insecure any more than doing the same with a batch file on Windows that does 'deltree c:\'
Be honest, how many of you have tried software from a site you don't trust 100%? Despite all the warnings, and what you know? Exactly. People will always fall for trojan horses - on any architecture or operating system.
[C]ulpability lies solely with the two defectives who committed the crime
So do you lock the front door when you leave the house?
Yes? But why, surely it's not your fault if someone comes in and takes everything, it's entirely their fault, no?
Lock your car too? Use passwords on your PC? Do you walk along flashing your cash at all and sundry?
You're right, it's the choice of these kids to break the law - but a hospital ought to 'lock the doors'... Not least because if they have a system that literally controls whether people live & die, they should not let just anyone have access to it. I want to know why the Intensive Care unit was on the Internet at all. If ever there was a system that should have an 'air gap' to the real world, it's that.
And the people saying 'the hospital isn't to blame any more than a woman in a short skirt is to blame for being raped' - it's not about blame, it's about responsible actions. If a woman dressed provocatively walks home alone on darkened streets, of course she doest not want to be raped, but she has to appreciate it raises the likelihood. Rapists exist, and every woman has a duty to herself not to make herself a target. Criminals exist, and every person (institution, business) have a duty to themselves (and their customers) not to make themselves targets too. If you walk down the street with your iPod in your hand, a mugger is more likely to target you than if you don't - doesn't mean it's not his fault, just that you didn't try and protect yourself.
Agreed, the 'short skirt' argument shouldn't get the rapist a lighter sentence, just because his justifcation was 'she was asking for it' any more than the hospital being insecure should reduce the penalty on these cretins. But I hope the judge says 'you see the scum that's out there? Be smart, be safe, and don't take the risk'.
It's possible for both sides to be at fault - but that seems to elude a large number of the Slashdot 'group thinkers'. Lock these guys up as long as you like, but if you don't also get the hospital to wise up then it's pointless - there's a never ending collection of criminals out there... and next time someone could die.
I used to have my email client beep and flash to tell me I had new email, then I realised I wasn't getting anything done.
So now, it doesn't even tell me if I have unread mail or not - I check it when I'm not busy, and deal with anything then.
People still thought I'll respond instantly, but it doesn't take long to train them that if something needs my attention, call me - and if I'm too busy, leave a voice message. They get priority, email is an 'as and when' proposition now.
The only site on the whitelist by default is addons.mozilla.org, where each extension is thoroughly checked that it works ok.
Really? Who checks them, and vouches for their safety? Where on that site does it say that everything is 'thoroughly checked'? And if they do stand behind everything on that site, why don't they sign them? There's clearly no coherent policy yet.
OK, so they don't write them, they won't sign them - fair enough. But then even the 'official workaround' XPI you could download to fix the IDN problem isn't signed. (Check for yourself: Click Here). So I hear about a security problem, but the only patch available relies on me to check the URL to make sure it's OK - and the fault is one that allows me to pretend to be another URL! Granted, the page it's linked from is HTTPS, but that's no guarantee...
Or alternatively, someone can alter the XPI (or write a new one), pretend to mirror it and offer it for download - since the real one's not signed by Mozilla, I can't prove I'm not getting the right one!
Unless extensions get signed, we'll never know where they come from - and I could find myself downloading a malicious extension from whatever.mozilla.org, and assuming I'd be OK.
I know signing isn't the be-all and end-all (there's nothing to stop someone signing a malicious app) but at least I could see it wasn't signed by a Mozilla developer!
Say what you like about Microsoft, but at least they tend to sign their Active X stuff, patch downloads, etc.
Another HUGE advantage of this is that anyone who comes to ask you to 'just help me out with this' can see at a glance how busy you really are.
Whining 'I've got 100 tasks in my to-do list and 250 unread mails' doesn't have the same effect on job-droppers as a wall covered in post-its, scribbled reminders and illustrations of dripping knives to highlight the 'important' tasks:)
Of course, if you're not busy, it's a dead giveaway - but no-one ever cheks to see if what's on there is accurate;)
And in 2003, a leap-second bug made GPS receivers from Motorola Inc. briefly show customers the time as half past 62 o'clock.
If I remember correctly, this was caused by the fact that a counter in the code that incremented each week there wasn't a leap second wrapped around. They knew about it in advance, and were able to warn people to reset their receivers.
Removing leap seconds altogether is silly, until we have the technology to rearrange the solar system to match our clocks. And when we can do that, we may as well go to decimal time...
On our shared Unix system (a Sequent Symmetry, no less) at University the Computer Society hacked together some tools for Buddy Lists and IM.
One was a replacement for 'who' that would let you add a.friends file (we're in the UK, so.buddy was out:) that mapped login IDs to real names. When you ran 'nwho' you could see who was online, and where they were logged in from. (It mapped IP addresses and PAD locations to physical locations).
Combined with a program called 'slmp' for status line message printer you could get notifications in the bottom corner of your screen to tell you when a friend logged on. Better yet you could ping messages back and forth without using 'talk' so you didn't upset their 'vi' sessions...
This was all done with CLI logins, no GUI tools at all, but if anyone is trying to patent location based IM, we may have prior art:)
That's what electrical tape is for: to cover that light so you don't have to look at it any more.
My father has experience in this matter. He once got a lift in a chinook helicopter and noticed over the pilot's shoulder that about half the warning lights in the cockpit were flashing. Being an engineer, he was concerned that it might be overdue a maintenance cycle, and asked the pilot about them. He replied 'oh, they're all minor, nothing to worry about'.
On the way back a couple of days later, he realised it was the same helicopter and the same pilot, but this time none of the warnings were flashing. 'So you found time for a service then?' he joked.
'Oh, I just got sick of the flashing lights, so I unscrewed the bulbs' he replied.
My father never worked out if he was joking or not...
Mark
PS I know it's not rocket science, but it's a great story:)
Clicking the button shows a picture to the user that they have picked. A phisher would not be able to easily defeat this.
So do they show it before you log in? If so, what's to stop me going to the site and asking for your picture?
After? Then it's too late.
And yes, I did RTFA - my favourite quote was Although SiteKey wouldn't have prevented recent high-profile security breaches, it shows how seriously the bank considers security.
So basically it's another hoop to jump through, that won't help. Great work!
Even if I have to log half-way in (give a line-noise style user ID) before I can see it, you can still use a man-in-the-middle attack). If I'm phishing, I ask for the details I need. You give them, and I pass them to the bank, and ask for the photo. When you push the button, I show you the photo...
It makes life harder, nothing more. Unless you type in the URL, you can't be sure you're in the right place, and maybe not even then if DNS is spoofed...
If it's anything like mine, you might have a localised version installed.
I have the Windows version for British English (yes, it's different from American English) and when I visit the Firefox home page, I am presented with two download options.
This usability crap is an old myth. Anyone saying that it's a "hobbyist's" OS and nothing more is living in 1995. Both Gnome and KDE have come far along and work very well. Overall integration can be lacking, but it's moving along and it'll get there.
Yes, but you also said:
I find that if you make sure that you're using programs from the same DE (don't try mixing and matching KDE and Gnome apps) that the Linux experience is VERY consistent and perfectly usable.
While I agree it's way better than it was 10 years ago (or even 5 years ago), if Linux is going to compete with Mac OS X, it needs to not have people worrying about this sort of thing. If I go to my local retailer and pick up (say) MS Office, I know it will work with my Windows XP box. If I get Office for Mac, I know it will work with OS X. If I get a hypothetical retail copy of OpenOffice/NeoOffice/Crossover Office from the same store, will it work with 'my' Linux? What if they assume Gnome is better and I prefer KDE? What if they use older libraries than I have, and it clobbers them? What if.....
Alright, this is an extreme example. But the very fact you said not to mix KDE & Gnome means Linux is NOT ready for prime time. Maybe Ubuntu can be, maybe Fedora can be, maybe Lindows is... But until I see Linux software with 'designed for DistributionX' on it, I doubt you'll see Joe Average switching to it. There's just too much room for fear, uncertainty and doubt (reference intended).
When it's as easy as OS X, then Apple will be worried. Right now, it's not even as easy as XP - if it was, it'd already be eroding XP on office desktops. Practically all the 'Linux switchers' we've heard about were just agitating to get a discount from MS...
People always say 'OS X just works' - and until they say the same about Linux (either about it generally, or any given distribution) then it won't be competition for either Apple or MS, not outside the Slashdot crowd. And within that demographic, do you really think just one distribution will get mass-endorsement? Look at the flamewars we get every time someone mentions Yet Another Package Manager...
If a newbie walked in to any Linux evangelist forum and said 'what should I get' he'd get as many different suggestions as there were replies to the thread. There may be dozens of *BSD distributions, but it never went mainstream until Apple picked one, and sold it. It might take someone selling a single standard distribution in a similar way to kick-start Linux on the desktop, but who would do it?
Google can search audio, (as another poster pointed out) and they already have 2GB per user... I'm not sure of the bandwidth Skype uses, but if it's not a factor of 10 smaller to store than MP3s of real music, I'll eat my hat.
In fact, I'd do it so that the standard gMail interface just showed your voice messages next to your email... With targetted ads in the window as you play each message, just like with email.
Slashdot Mirror
This has been done for a while - I thought that any application with a dot in the name (other than the terminating .app) should show up as try.jpg.app - precisely to avoid this scenario from happening.
.app on the end. Same with .txt .doc .dmg .exe .avi .mov and whatever else I could think of.
.xxx it stayed as .xxx - i.e. OS X didn't add the .app suffix, but then if you're expecting a .xxx file to be a document, you might well be disappointed!
.app extension. Not sure what happens then...
/' or (if you don't want the password prompt 'rm -rf ~'. Doesn't make the platform insecure any more than doing the same with a batch file on Windows that does 'deltree c:\'
In fact, it's not everything. I created an app, and renamed it test.jpg, and it stuck
When i tried with
Sounds reasonable to me - any registered document type cannot be used as the last characters on a file name for an application...
Of course, as other posters have pointed out you can use the old OS 9 'Creator/Type' codes to create a runnable application without a
Don't forget, there's nothing to stop me telling you to download this new whizzy P2P software, and when you unzip the archive it's a shell script saying 'rm -rf
Be honest, how many of you have tried software from a site you don't trust 100%? Despite all the warnings, and what you know? Exactly. People will always fall for trojan horses - on any architecture or operating system.
Mark
I thought I did get the point - my argument was that the guilt was shared, but that it didn't make them any less guilty.
:)
I think we're arguing the same point here
Mark
[C]ulpability lies solely with the two defectives who committed the crime
So do you lock the front door when you leave the house?
Yes? But why, surely it's not your fault if someone comes in and takes everything, it's entirely their fault, no?
Lock your car too? Use passwords on your PC? Do you walk along flashing your cash at all and sundry?
You're right, it's the choice of these kids to break the law - but a hospital ought to 'lock the doors'... Not least because if they have a system that literally controls whether people live & die, they should not let just anyone have access to it. I want to know why the Intensive Care unit was on the Internet at all. If ever there was a system that should have an 'air gap' to the real world, it's that.
And the people saying 'the hospital isn't to blame any more than a woman in a short skirt is to blame for being raped' - it's not about blame, it's about responsible actions. If a woman dressed provocatively walks home alone on darkened streets, of course she doest not want to be raped, but she has to appreciate it raises the likelihood. Rapists exist, and every woman has a duty to herself not to make herself a target. Criminals exist, and every person (institution, business) have a duty to themselves (and their customers) not to make themselves targets too. If you walk down the street with your iPod in your hand, a mugger is more likely to target you than if you don't - doesn't mean it's not his fault, just that you didn't try and protect yourself.
Agreed, the 'short skirt' argument shouldn't get the rapist a lighter sentence, just because his justifcation was 'she was asking for it' any more than the hospital being insecure should reduce the penalty on these cretins. But I hope the judge says 'you see the scum that's out there? Be smart, be safe, and don't take the risk'.
It's possible for both sides to be at fault - but that seems to elude a large number of the Slashdot 'group thinkers'. Lock these guys up as long as you like, but if you don't also get the hospital to wise up then it's pointless - there's a never ending collection of criminals out there... and next time someone could die.
Mark
Yes, but that wasn't revealed in TFA until paragraph 3, and so no-one read that far...
Mark
Firefly, Farscape, Family guy, Futurama
What do these shows have in common?
They all start with an F, as does Fox.
Coincidence? I think so....!
Mark
I couldn't agree more.
I used to have my email client beep and flash to tell me I had new email, then I realised I wasn't getting anything done.
So now, it doesn't even tell me if I have unread mail or not - I check it when I'm not busy, and deal with anything then.
People still thought I'll respond instantly, but it doesn't take long to train them that if something needs my attention, call me - and if I'm too busy, leave a voice message. They get priority, email is an 'as and when' proposition now.
Mark
Sounds like he knows her very well.....
Anybody want a peanut?
Uh oh - when did the sun go out?
Well, technically he said 'in' the world, so as long as the sun was up when he wrote it, he's right.
After all, we all know the sun burrows through the earth at night, right? Lands somewhere in Arizona, that's why the rocks there are so red...
Mark
PS Thanks to Bill Watterson for the Arizona information - everything I need to know about science I learnt from "Calvin & Hobbes".
The only site on the whitelist by default is addons.mozilla.org, where each extension is thoroughly checked that it works ok.
Really? Who checks them, and vouches for their safety? Where on that site does it say that everything is 'thoroughly checked'? And if they do stand behind everything on that site, why don't they sign them? There's clearly no coherent policy yet.
OK, so they don't write them, they won't sign them - fair enough. But then even the 'official workaround' XPI you could download to fix the IDN problem isn't signed. (Check for yourself: Click Here). So I hear about a security problem, but the only patch available relies on me to check the URL to make sure it's OK - and the fault is one that allows me to pretend to be another URL! Granted, the page it's linked from is HTTPS, but that's no guarantee...
Or alternatively, someone can alter the XPI (or write a new one), pretend to mirror it and offer it for download - since the real one's not signed by Mozilla, I can't prove I'm not getting the right one!
Unless extensions get signed, we'll never know where they come from - and I could find myself downloading a malicious extension from whatever.mozilla.org, and assuming I'd be OK.
I know signing isn't the be-all and end-all (there's nothing to stop someone signing a malicious app) but at least I could see it wasn't signed by a Mozilla developer!
Say what you like about Microsoft, but at least they tend to sign their Active X stuff, patch downloads, etc.
And yes, I've spoken about this before...
Mark
Must have been something stolen from SCO, right? :)
Mark
Another HUGE advantage of this is that anyone who comes to ask you to 'just help me out with this' can see at a glance how busy you really are.
:)
;)
Whining 'I've got 100 tasks in my to-do list and 250 unread mails' doesn't have the same effect on job-droppers as a wall covered in post-its, scribbled reminders and illustrations of dripping knives to highlight the 'important' tasks
Of course, if you're not busy, it's a dead giveaway - but no-one ever cheks to see if what's on there is accurate
Mark
Just don't call them stupid.....
Mark
K-k-k-k-ken's c-c-c-c-coming to k-k-k-k-k-kill me! How are you going to c-c-c-catch me, K-k-k-ken?
who saw the sarcasm in that announcement?
Guess so....
Mark
There's a saying in the airplane industry expressing that idea:
Any landing you can walk away from is a good landing.
And the second half of the saying is: "and if the 'plane can be used again, it was a GREAT landing."
Mark
And in 2003, a leap-second bug made GPS receivers from Motorola Inc. briefly show customers the time as half past 62 o'clock.
:) You can also view Motorola's original PDF advisory which interestingly doesn't think the time will be wrong, just the date.
If I remember correctly, this was caused by the fact that a counter in the code that incremented each week there wasn't a leap second wrapped around. They knew about it in advance, and were able to warn people to reset their receivers.
Removing leap seconds altogether is silly, until we have the technology to rearrange the solar system to match our clocks. And when we can do that, we may as well go to decimal time...
Mark
PS What do you know, I did recall correctly
The only thing missing is the witty satire of the slashdot crowd.
:)
You know, you had me convinced up until this sentence...
I must be new here
Mark
On our shared Unix system (a Sequent Symmetry, no less) at University the Computer Society hacked together some tools for Buddy Lists and IM.
.friends file (we're in the UK, so .buddy was out :) that mapped login IDs to real names. When you ran 'nwho' you could see who was online, and where they were logged in from. (It mapped IP addresses and PAD locations to physical locations).
:)
One was a replacement for 'who' that would let you add a
Combined with a program called 'slmp' for status line message printer you could get notifications in the bottom corner of your screen to tell you when a friend logged on. Better yet you could ping messages back and forth without using 'talk' so you didn't upset their 'vi' sessions...
This was all done with CLI logins, no GUI tools at all, but if anyone is trying to patent location based IM, we may have prior art
This was all done between 1991 and 1994...
Mark
That's what electrical tape is for: to cover that light so you don't have to look at it any more.
:)
My father has experience in this matter. He once got a lift in a chinook helicopter and noticed over the pilot's shoulder that about half the warning lights in the cockpit were flashing. Being an engineer, he was concerned that it might be overdue a maintenance cycle, and asked the pilot about them. He replied 'oh, they're all minor, nothing to worry about'.
On the way back a couple of days later, he realised it was the same helicopter and the same pilot, but this time none of the warnings were flashing. 'So you found time for a service then?' he joked.
'Oh, I just got sick of the flashing lights, so I unscrewed the bulbs' he replied.
My father never worked out if he was joking or not...
Mark
PS I know it's not rocket science, but it's a great story
Clicking the button shows a picture to the user that they have picked. A phisher would not be able to easily defeat this.
So do they show it before you log in? If so, what's to stop me going to the site and asking for your picture?
After? Then it's too late.
And yes, I did RTFA - my favourite quote was Although SiteKey wouldn't have prevented recent high-profile security breaches, it shows how seriously the bank considers security.
So basically it's another hoop to jump through, that won't help. Great work!
Even if I have to log half-way in (give a line-noise style user ID) before I can see it, you can still use a man-in-the-middle attack). If I'm phishing, I ask for the details I need. You give them, and I pass them to the bank, and ask for the photo. When you push the button, I show you the photo...
It makes life harder, nothing more. Unless you type in the URL, you can't be sure you're in the right place, and maybe not even then if DNS is spoofed...
Mark
If it's anything like mine, you might have a localised version installed.
I have the Windows version for British English (yes, it's different from American English) and when I visit the Firefox home page, I am presented with two download options.
1. 1.0.5 American
2. 1.0.4 British
I guess your localised version isn't updated yet.
Why not take a look?
(I've now decided to suck up the bad spelling and use the US version, just to keep up with updates).
Mark
This usability crap is an old myth. Anyone saying that it's a "hobbyist's" OS and nothing more is living in 1995. Both Gnome and KDE have come far along and work very well. Overall integration can be lacking, but it's moving along and it'll get there.
Yes, but you also said:
I find that if you make sure that you're using programs from the same DE (don't try mixing and matching KDE and Gnome apps) that the Linux experience is VERY consistent and perfectly usable.
While I agree it's way better than it was 10 years ago (or even 5 years ago), if Linux is going to compete with Mac OS X, it needs to not have people worrying about this sort of thing. If I go to my local retailer and pick up (say) MS Office, I know it will work with my Windows XP box. If I get Office for Mac, I know it will work with OS X. If I get a hypothetical retail copy of OpenOffice/NeoOffice/Crossover Office from the same store, will it work with 'my' Linux? What if they assume Gnome is better and I prefer KDE? What if they use older libraries than I have, and it clobbers them? What if.....
Alright, this is an extreme example. But the very fact you said not to mix KDE & Gnome means Linux is NOT ready for prime time. Maybe Ubuntu can be, maybe Fedora can be, maybe Lindows is... But until I see Linux software with 'designed for DistributionX' on it, I doubt you'll see Joe Average switching to it. There's just too much room for fear, uncertainty and doubt (reference intended).
When it's as easy as OS X, then Apple will be worried. Right now, it's not even as easy as XP - if it was, it'd already be eroding XP on office desktops. Practically all the 'Linux switchers' we've heard about were just agitating to get a discount from MS...
People always say 'OS X just works' - and until they say the same about Linux (either about it generally, or any given distribution) then it won't be competition for either Apple or MS, not outside the Slashdot crowd. And within that demographic, do you really think just one distribution will get mass-endorsement? Look at the flamewars we get every time someone mentions Yet Another Package Manager...
If a newbie walked in to any Linux evangelist forum and said 'what should I get' he'd get as many different suggestions as there were replies to the thread. There may be dozens of *BSD distributions, but it never went mainstream until Apple picked one, and sold it. It might take someone selling a single standard distribution
in a similar way to kick-start Linux on the desktop, but who would do it?
Mark
Mark
There seem to be an awful lot; I haven't been able to see them all (though I will continue to try). Where do they mostly come from, I wonder.
:)
Let me get this straight, you're trying to see all the porn in the world, and you still don't know where babies come from?
Imagine gVoiceMail for Skype.
:)
Google can search audio, (as another poster pointed out) and they already have 2GB per user... I'm not sure of the bandwidth Skype uses, but if it's not a factor of 10 smaller to store than MP3s of real music, I'll eat my hat.
In fact, I'd do it so that the standard gMail interface just showed your voice messages next to your email... With targetted ads in the window as you play each message, just like with email.
You heard it here first, Robert X. Cringley
Mark
More TLDs noone is going to use because ".com" just sounds cooler.
.cum as a domain for the 'adult industry'.
Which is why I was agitating for
You can't tell me that wouldn't have sold like hot xxx sluts^W^Wcakes...
Mark