The big problem is not that it grants them immunity, it's that in doing so it blocks an investigation into what the Government was doing. Which of course is WHY the bill is granting them that immunity.
Ditto. I have also dissuaded (non-coercively, I'm no BOFH) managers from snooping when they didn't actually have a business-related reason for the investigation.
but the annoying and potentially dangerous concept of autostarting an application when a CD is inserted.
Indeed.
Either way requires physical access to the machine
I don't need physical access to the machine to distribute malware on a CD. I just need to distribute a CD that will launch said malware when it's inserted, and let my victims provide the physical access part at their leisure.
All osascript is doing is compiling and running 'tell application "ARDAgent" to...' as the logged in user. The application "ARDAgent" is already running as root, and accepting '... do shell script "..."' and running it. If ARDAgent is not running, then the osascript command just hangs waiting for it to start up (as it does on my computer, because I don't have Apple Remote Desktop running).
The bug is that ARDAgent's applescript library blithely executes "do shell script".
KDE opens a dialog and asks you if you want the CD to be mounted
OK, I missed this, I read this as "KDE opens a dialog and asks you if you want the CD to be executed" or something like that, because my new day job involves writing software for Linux, so I've occasionally got to test software on a variety of Linux boxes and we have a rack of test boxes running a set of bog standard Linux installs (they wouldn't be much good as test boxes if they'd been customized) and when you stick a CD containing a shell script called "/autorun" in many of these boxes, it pops up a dialog asking if it should *execute* that file.
Yes, really.
I think this happens on Gnome-based boxes rather than KDE, but it regularly happens.
Here's what I wrote in 2006 when I first read about the spec: Linux is not Windows.
Combined with the behavior you're describing this is doubly stupid, because someone used to KDE would be likely to reflexively hit that "please infect my computer" button before noticing that it's not asking to mount the CD.
Just out of interest, under which circumstances do you _not_ want a data CD to be mounted when you insert it in your drive?
I'm talking about autorun being the "stupid thing"... not automount.
However, now that you mention it, it should probably pop up a dialog asking how you want to mount it:
1. Should the mount honor the execute bit or not? 2. Should the mount honor setuid/setgid bits or not? 3. Should the mount honor device nodes or not? 4. Should the mount honor access permissions or not?
If you're not logged in as a privileged user, you probably shouldn't get options 2 or 3, and the CD should probably be mounted as if all the files were owned by you.
And, finally, I often want to insert a CDROM to copy it, or to examine it with a file system analysis tool. So "don't mount it, ignore it" should be an option.
Related to the "should I do something stupid" dialog is the "type your admin password to continue" dialog
Actually, for most of the places that dialog pops up, it's not a stupid security dialog. It's verifying that the person sitting in front of the screen is actually authorized to perform an action. The problem is:
1. Because this option is available, Apple hasn't bothered to figure out if there's a less dangerous way of performing a particular action.
2. As you say, it gets invoked in many cases where it's not necessarily going to be required, rather than being deferred until you actually require elevated privileges.
3. Related to the first point, it's led to the use of root privileges where lesser privileges would have sufficed.
4. There are some cases where this dialog is invoked as a stupid security dialog, where you don't actually require elevated privileges at all.
And related to this is the idea that creating an installer is necessary or even desirable. The ONLY time you should need an actual installer is when your application actually needs to install something into/Library, *and* this decision can't be deferred until first run. Like a device driver, for example.
And related to that is the additional restrictions Apple has imposed in Leopard, for example requiring certain plugins to be installed in/Library rather than ~/Library.
Security Theatre, nobody is immune. I've run into all four of the points (1..4) above in UNIX applications, all the way back to when I was at Berkeley in the late '70s. Requiring root to access privileged ports in the BSD TCP stack is a perfect example of security theatre making a system less secure.
The price of security is eternal vigilance, and this is the kind of chickenshit stuff nobody bothers to be vigilant against.
I'm sorry, I don't quite understand. Are you agreeing with me, disagreeing with me, or making a comment about a related issue... and are you recommending or debunking antivirus software on OS X?
KDE opens a dialog and asks you if you want the CD to be mounted
I call those "Should I do something stupid" dialogs.
Given that:
* The answer should almost always be "no". * It's less hassle if it doesn't ask, just doesn't do it. * Users get trained to answer "yes", because they keep getting them.
Any time you're putting up "Should I do something stupid" dialogs, you're making things easy for people who are trying to use social engineering to install malware.
Here's the history of Apple's experiment with stupid security dialogs in Safari:
Windows Airlines: The terminal is very neat and clean, with security barriers every few meters. The attendants are attractive, even if it's kind of creepy how much they want to "help" (especially in the restrooms). The pilots are allegedly very capable, though nobody ever sees them and there's an armed guard by the cockpit door. The fleet of jets it operates are immense. Your jet takes off without a hitch, pushing above the clouds, and at 20,000 feet a message pops up on the seat back in front of you asking "Should this plane explode now?".
Some idiot always answers "Yes".
Windows is so much worse than everyone else that people tend to ignore it when Apple or KDE does something slightly less stupid than ActiveX, but it's still stupid, and putting up a "should this plane explode now?" dialog doesn't eliminate the stupidity.
No, what's good about Linux, and to a slightly lesser extend OSX, is that Unix is an incredibly simple system at it's core, so there are relatively few possible exploitation vectors and they are all well understood.
Unfortunately KDE, Qt, X11, Gtk, Gnome, and the whole "let's make Linux into Windows" desktop hodgepodge that's layered on top of UNIX[1] is incredibly complex, has many components running with elevated privileges, and while it has fewer exploitation vectors than Windows it's conceptually more complex than the NeXTstep-derived equivalents in OS X.
And on top of that, many linux distros have resurrected the absolutely insane concept of Autorun CDs, something Apple was smart enough to abandon back in the dark ages of floppy distribution.
So, all in all, "do not be so proud of this technological terror". I'd go on, but I've got work to do.:)
[1] No, X11 is not really a UNIX API, it was designed to be platform independent, ran on UNIX and VMS from the start, and completely ignores many of the fundamental design goals of UNIX as well as many of the most useful *results* of those design goals.
First, yes, this is a serious bug. It's a classic blunder, like getting into a land war in Asia, and is similar to the in NT3.51's scheduler to get LOCALSYSTEM rights, or the one in/bin/write in 2BSD to get a root shell.
It's also easy to fix.
And I am about 99 44/100 percent sure that there's more undiscovered holes like this in OS X, Windows Vista, and any random Linux desktop you could name.
THe thing is, it's not true that "one of the main security aspects of OS X is that root access is held sacred (as it should be) and malware is assumed to be 'stopped at the gate' by that policy". It's not. You can protect the OS from the malware, but the malware can still hide, still restart itself after a reboot, and still destroy everything you actually CARE about without root access. And malware can similarly break out of Vista's jail around IE, and whatever APple does along those lines.
Security is like sex. Once you're penetrated you're ****ed.
The biggest advantage that Apple has is that Safari doesn't (any more) have a mechanism (at least not by default) to blithely execute outside a *closed* sandbox (not a leaky one) any random malware that can convince it that it's safe and trusted. That's the biggest security problem Windows has. ActiveX and all its kin. It's harder to penetrate OS X in the first place... you pretty much have to depend on social engineering... and people CAN learn not to be social-engineered.
I can't see how an editor of a news-aggregating service
First parsed as "news-aggravating service". Seems about right.
In the US, it is far more common to see people use quote's, in an attempt to 'incorrectly' emphasize words. Its 'nearly' as common, as people who think two comma's, are better than one, or who think apostrophe's can just be shoved in, 'anywhere'.
What should the policy be for handling groups of people with the stated goal of destroying our country?
The policy should be:
1. Commensurate with the threat. 2. Directed at the source of the threat. 3. Designed to counter the threat.
For example, broadening the scope of an action to include groups that represent a lesser threat than the group one is currently engaged with, and applying significantly greater resources to the lesser threat, and applying those resources in a manner that promotes the goals of the group one is engaged with, is probably not a viable one.
on a battlefield, you know you are allowed to, like, shoot people and blow them up with grenades, etc
You are aware that there is a difference between civilians and combatants, and that doing that stuff to civilians is supposed to get you an invitation to the Hague, right?
Network Scientists have discovered that the majority of the bandwidth in the Internet is "dark fiber", a mysterious substance that has the same gravitational effects on backhoes as normal fiber, but does not interact with the internet as a whole. Some believe is possible to harness this bandwidth through dark packets, but others fear the growth of pink packets (typically containing porn and spam) will eliminate any potential gains from this little-understood phenomenon. Other scientists, primarily at ISPs, believe that extracting dark money from end users through traffic surcharges is the only way to take advantage of dark fiber.
The big problem is not that it grants them immunity, it's that in doing so it blocks an investigation into what the Government was doing. Which of course is WHY the bill is granting them that immunity.
Ditto. I have also dissuaded (non-coercively, I'm no BOFH) managers from snooping when they didn't actually have a business-related reason for the investigation.
but the annoying and potentially dangerous concept of autostarting an application when a CD is inserted.
Indeed.
Either way requires physical access to the machine
I don't need physical access to the machine to distribute malware on a CD. I just need to distribute a CD that will launch said malware when it's inserted, and let my victims provide the physical access part at their leisure.
It's not quite as easy as passing in an "applescript:" URL, at least...
What other applications running with elevated privileges accept random Applescript from any random yobbo?
Most commands I've tried respond with "syntax error: No user interaction allowed. (-1713)".
All osascript is doing is compiling and running 'tell application "ARDAgent" to...' as the logged in user. The application "ARDAgent" is already running as root, and accepting '... do shell script "..."' and running it. If ARDAgent is not running, then the osascript command just hangs waiting for it to start up (as it does on my computer, because I don't have Apple Remote Desktop running).
The bug is that ARDAgent's applescript library blithely executes "do shell script".
Autorun is worse than things like bugs in JPG or bugs in file systems.
:)
Bugs, you can fix.
When the security flaw is in the design you can't fix it without breaking stuff that was written based on the flawed design.
THe poster boy for this phenomenon, of course, is the Microsoft HTML control, Internet Explorer, and ActiveX.
KDE opens a dialog and asks you if you want the CD to be mounted
OK, I missed this, I read this as "KDE opens a dialog and asks you if you want the CD to be executed" or something like that, because my new day job involves writing software for Linux, so I've occasionally got to test software on a variety of Linux boxes and we have a rack of test boxes running a set of bog standard Linux installs (they wouldn't be much good as test boxes if they'd been customized) and when you stick a CD containing a shell script called "/autorun" in many of these boxes, it pops up a dialog asking if it should *execute* that file.
Yes, really.
I think this happens on Gnome-based boxes rather than KDE, but it regularly happens.
There's actually a spec for this kind of craziness: Desktop Application Autostart Specification... look under "Autostart Of Applications After Mount".
Here's what I wrote in 2006 when I first read about the spec: Linux is not Windows.
Combined with the behavior you're describing this is doubly stupid, because someone used to KDE would be likely to reflexively hit that "please infect my computer" button before noticing that it's not asking to mount the CD.
Just out of interest, under which circumstances do you _not_ want a data CD to be mounted when you insert it in your drive?
I'm talking about autorun being the "stupid thing"... not automount.
However, now that you mention it, it should probably pop up a dialog asking how you want to mount it:
1. Should the mount honor the execute bit or not?
2. Should the mount honor setuid/setgid bits or not?
3. Should the mount honor device nodes or not?
4. Should the mount honor access permissions or not?
If you're not logged in as a privileged user, you probably shouldn't get options 2 or 3, and the CD should probably be mounted as if all the files were owned by you.
And, finally, I often want to insert a CDROM to copy it, or to examine it with a file system analysis tool. So "don't mount it, ignore it" should be an option.
Related to the "should I do something stupid" dialog is the "type your admin password to continue" dialog
/Library, *and* this decision can't be deferred until first run. Like a device driver, for example.
/Library rather than ~/Library.
Actually, for most of the places that dialog pops up, it's not a stupid security dialog. It's verifying that the person sitting in front of the screen is actually authorized to perform an action. The problem is:
1. Because this option is available, Apple hasn't bothered to figure out if there's a less dangerous way of performing a particular action.
2. As you say, it gets invoked in many cases where it's not necessarily going to be required, rather than being deferred until you actually require elevated privileges.
3. Related to the first point, it's led to the use of root privileges where lesser privileges would have sufficed.
4. There are some cases where this dialog is invoked as a stupid security dialog, where you don't actually require elevated privileges at all.
And related to this is the idea that creating an installer is necessary or even desirable. The ONLY time you should need an actual installer is when your application actually needs to install something into
And related to that is the additional restrictions Apple has imposed in Leopard, for example requiring certain plugins to be installed in
Security Theatre, nobody is immune. I've run into all four of the points (1..4) above in UNIX applications, all the way back to when I was at Berkeley in the late '70s. Requiring root to access privileged ports in the BSD TCP stack is a perfect example of security theatre making a system less secure.
The price of security is eternal vigilance, and this is the kind of chickenshit stuff nobody bothers to be vigilant against.
I'm sorry, I don't quite understand. Are you agreeing with me, disagreeing with me, or making a comment about a related issue... and are you recommending or debunking antivirus software on OS X?
I call those "Should I do something stupid" dialogs.
Given that:
* The answer should almost always be "no".
* It's less hassle if it doesn't ask, just doesn't do it.
* Users get trained to answer "yes", because they keep getting them.
Any time you're putting up "Should I do something stupid" dialogs, you're making things easy for people who are trying to use social engineering to install malware.
Here's the history of Apple's experiment with stupid security dialogs in Safari:
http://scarydevil.com/~peter/io/osx-security.html
http://scarydevil.com/~peter/io/apple.html
http://scarydevil.com/~peter/io/apple3.html
http://scarydevil.com/~peter/io/apple4.html
They finally wised up, and removed the "doing something really stupid" bit, by turning off "open Safe files" by default.
Microsoft's been in denial about the same thing since 1997.
http://scarydevil.com/~peter/io/airlines.html
Windows is so much worse than everyone else that people tend to ignore it when Apple or KDE does something slightly less stupid than ActiveX, but it's still stupid, and putting up a "should this plane explode now?" dialog doesn't eliminate the stupidity.
I know you're making a joke but there's a known race condition in a similar widely-used command.
Even a simpleton can see that eventually, the entire Internet will consist exclusively of strange packets!
But, Doctor Evil, that already happened!"
No, what's good about Linux, and to a slightly lesser extend OSX, is that Unix is an incredibly simple system at it's core, so there are relatively few possible exploitation vectors and they are all well understood.
:)
Unfortunately KDE, Qt, X11, Gtk, Gnome, and the whole "let's make Linux into Windows" desktop hodgepodge that's layered on top of UNIX[1] is incredibly complex, has many components running with elevated privileges, and while it has fewer exploitation vectors than Windows it's conceptually more complex than the NeXTstep-derived equivalents in OS X.
And on top of that, many linux distros have resurrected the absolutely insane concept of Autorun CDs, something Apple was smart enough to abandon back in the dark ages of floppy distribution.
So, all in all, "do not be so proud of this technological terror". I'd go on, but I've got work to do.
[1] No, X11 is not really a UNIX API, it was designed to be platform independent, ran on UNIX and VMS from the start, and completely ignores many of the fundamental design goals of UNIX as well as many of the most useful *results* of those design goals.
First, yes, this is a serious bug. It's a classic blunder, like getting into a land war in Asia, and is similar to the in NT3.51's scheduler to get LOCALSYSTEM rights, or the one in /bin/write in 2BSD to get a root shell.
It's also easy to fix.
And I am about 99 44/100 percent sure that there's more undiscovered holes like this in OS X, Windows Vista, and any random Linux desktop you could name.
THe thing is, it's not true that "one of the main security aspects of OS X is that root access is held sacred (as it should be) and malware is assumed to be 'stopped at the gate' by that policy". It's not. You can protect the OS from the malware, but the malware can still hide, still restart itself after a reboot, and still destroy everything you actually CARE about without root access. And malware can similarly break out of Vista's jail around IE, and whatever APple does along those lines.
Security is like sex. Once you're penetrated you're ****ed.
The biggest advantage that Apple has is that Safari doesn't (any more) have a mechanism (at least not by default) to blithely execute outside a *closed* sandbox (not a leaky one) any random malware that can convince it that it's safe and trusted. That's the biggest security problem Windows has. ActiveX and all its kin. It's harder to penetrate OS X in the first place... you pretty much have to depend on social engineering... and people CAN learn not to be social-engineered.
I can't see how an editor of a news-aggregating service
First parsed as "news-aggravating service". Seems about right.
In the US, it is far more common to see people use quote's, in an attempt to 'incorrectly' emphasize words. Its 'nearly' as common, as people who think two comma's, are better than one, or who think apostrophe's can just be shoved in, 'anywhere'.
What should the policy be for handling groups of people with the stated goal of destroying our country?
The policy should be:
1. Commensurate with the threat.
2. Directed at the source of the threat.
3. Designed to counter the threat.
For example, broadening the scope of an action to include groups that represent a lesser threat than the group one is currently engaged with, and applying significantly greater resources to the lesser threat, and applying those resources in a manner that promotes the goals of the group one is engaged with, is probably not a viable one.
on a battlefield, you know you are allowed to, like, shoot people and blow them up with grenades, etc
You are aware that there is a difference between civilians and combatants, and that doing that stuff to civilians is supposed to get you an invitation to the Hague, right?
So you're basically defining the entire population as combatants? Nice to know where you stand on the Geneva Convention.
"Dude, you're going to Hell."
Never buy a computer from a company whose name rhymes with Hell. You'll be sorry.
Network Scientists have discovered that the majority of the bandwidth in the Internet is "dark fiber", a mysterious substance that has the same gravitational effects on backhoes as normal fiber, but does not interact with the internet as a whole. Some believe is possible to harness this bandwidth through dark packets, but others fear the growth of pink packets (typically containing porn and spam) will eliminate any potential gains from this little-understood phenomenon. Other scientists, primarily at ISPs, believe that extracting dark money from end users through traffic surcharges is the only way to take advantage of dark fiber.
I first tried to use Firefox/WIne on FreeBSD because it seemed a little eisier to install tghan the Linux ELF.
/usr/ports/www/linux-flashplugin9; make install" on any recent FreeBSD version.
Should just be a matter of "cd
I use Windows firefox because I am on FreeBSD and there is no flash player for FreeBSD.
I use Flashblock because I am on OS X and there is a flash player for OS X.
What?
I was talking about the AOL online service client, not AOL instant messager. That is AOL 9.0.
You just destroyed all my illusions about FreeBSD fans. Thanks a bunch.
David Brin's take might be summarized, "Privacy is Dead, What Happens Next?" or "How I Learned to Love the Panopticon."