If it was just a matter of security, I'd be using Safari on Windows anyway... but on top of that Safari redraws faster than IE and Firefox on Windows for me. There are some preferences settings relating to whether it should render while images are downloading, have you checked those?
I'm less happy about then wrapping it in the Mac-style window borders. Hopefully that's temporary.
The main problem I have is that you can't tell it to wait long enough for some pages that take a while to start coming up. You should be able to kill that timeout. But that's rare enough that one would call it "painful".
I don't need a username and password to get through my proxy, though. Googling around, I see there's quite a few problems with proxy authentication support in various packages, as well as a variety of authentication schemes, so I wouldn't automatically classify authenticating proxies as "basic functionality".
You mean the potential Mac game developers who weren't at WWDC because they were developing for Windows now?
We're in the process of changing that. EA is going to port [some of] their games to the Mac. ID software will, too.
Oh, oh, so this was targeted at the potential Mac game developers (who weren't at WWDC) who hadn't heard of Cider, to try and convince someone to really port some games to the Mac.
I have seen established bands do the opposite of what you're trying to say.
I'm not sure what you're trying to get at here.
My point was that having a recording contract isn't really relevant when a band is getting established. I didn't say anything about whether it was relevant to staying popular. Or were you meaning to reply to the article I was responding to?
They're just going to be running the Windows code calling Win32 and DirectX APIs under some collateral descendant of WINE.
As far as Mac developers are concerned, it's irrelevant. It won't be using or advancing any of the features of OSX in any way that anyone with a reason to attend WWDC could possibly care about. I don't know why they bothered bringing it up.
Sure, word of mouth will get around in time but how much time does truely independent artists have until they need to show a profit or be forced to go back to school and get a 9 to 5?
I think you have cause and effect reversed. Artists start out with a 9-5 playing on weekends until they make enough money to make a living off their music. It's around the time that they're beginning to "make it" that the labels get involved.
If they're good, the web just makes it easier for them to get to the point of making a living off their music before the labels swoop down.
if time travel were possible someone would have already come back and told us.
If time travel was sufficiently easy for that and you could change the past, every time time travel is invented some people will go back to observe that invention. Every "time" they do that, they will change the past, slightly. "Eventually", one of these changes will prevent that invention of the time machine, and no more time travel will occur. This will happen every time the time machine is invented, so in any hypothetical universe in which it is easy for people to "come back and tell us", time travel will not be invented... not because it's impossible, but because it is.
(Thanks to Larry Niven for this chain of reasoning)
Last time he found an exploit he reported it publicly and to apple and what did apple do? They claimed the exploit never existed and threatened to sue him over it.
And refusing to follow ethical research practices now provides him no protection from that kind of response. None. Zero. Zip. he is not doing anything useful by behaving this way. All he is doing is further damaging his reputation.
His company relies on their credibility to get them by. A security company without credibility is the most worthless thing ever.
Indeed. Which is why his response is just plain stupid. It doesn't help his reputation, and it hurts his credibility.
All damage, zero benefit.
Whether or not apple *actually* works to fix the bugs is irrelevant
To the people who are affected by his actions, whether Apple fixes the bugs or not is the only thing that is relevant.
Apple basically punished him for doing the right thing. I can't blame him for not doing it again.
How you respond to negative reinforcement is what is called a test of character. Whether you blame him or not, it's important to consider his response to this test when evaluating his vulnerability reports.
Journalling is actually part of the problem. If the catalog is damaged it can't replay the journal, and Disk Utility refuses to rebuild the catalog if the file system is journalled... a catch-22 situation. The way out is to boot single-user and run fsck_hfs with the -rf (or -rdf) options explicitly.
I had this happen to my backup disk for my Macbook Pro just by getting it "too full", so this is still a problem in 10.4.9!
Sorry for my ignorance, but at least isn't there a way to use ext3 partitions for your data?
I don't know, and unfortunately it really doesn't matter... it's basically equivalent to UFS. UFS is far more reliable than HFS+ and Mac OS X has a good version of that. The problem is that the emulation layer Apple uses to get the HFS+ extensions on top of other file systems is incomplete. Unless Apple completes that or changes the software that depends on them so it runs cleanly on standard UNIX file systems we're stuck with HFS+.
The WWDC demo showed AJAX apps on the iPhone calling into apps on the iPhone.
I don't see a way that this can be done securely. Jobs says they're secure... but in context he means "it uses SSL". Jobs says they're sandboxed, but if they can place calls and access your local data then everything you care about in the phone is in the sandbox and open for a bad guy to mess around with.
This might keep you from taking over the software radio and hax0ring the cellular system (but it won't keep the real bad guys from doing it), but it won't provide you any useful security.
HFS+ is the only file system I have used on ANY UNIX system in the past quarter of a century where I have had to resort to third-party tools to fix corruption, and where you can corrupt it to that point just by letting it fill up.
Sometimes I really hate it when I'm right. I suggested that this was too good to be true when it was originally posted here. Alas, we're stuck with HFS+ until Apple gets over their NIH issues.
There is no concrete reason to think that the company in question has not contacted Apple many times and (due to being ignored) feels such a thing is worthless until/unless it is totally public - much the same as many here feel is the case with Microsoft.
I've contacted Apple many times and recieved no feedback. It would still be totally irresponsible for me to release a security vulnerability before notifying them. Same with Microsoft, Bank of America, Valve, or even the MPAA. It doesn't matter who the responsible organization is, if you don't notify them before announcing the vulnerability you've abandoned any pretense at being a responsible security researcher. There is no excuse whatsoever. None.
As I noted in my comment on larholm.com, this is a long running design flaw in both ahem-mainstream-ahem operating systems. It's really not safe for any browser or other application to trust LaunchServices *or* Windows protocol handler database. The handlers that are suitable for a desktop environment are not generally the ones you want to use from untrusted documents.
Truth is, if the guy had reported the bugs/vulnerabilities to Apple, they more than likely would have done what they always do, wait months to push a fix out or just deny their existence altogether.
Did you read the disclosure policy?
Keeping with our disclosure policy, we do not report bugs to Apple.
It doesn't say
Keeping with our disclosure policy, we do not wait for a response to the bugs we report.
If it said that, your comment would make sense. That would be something like... "We don't think Apple will fix it, so we won't wait before announcing it". I could see that (though not agree with it). But "We don't think Apple will fix it, so we won't even TELL them about it" is totally irresponsible. The only "rational" interpretation of that is he actively wants to make it harder to improve the security of Safari.
Do you have a better explanation, or a justification for that approach?
If it was just a matter of security, I'd be using Safari on Windows anyway... but on top of that Safari redraws faster than IE and Firefox on Windows for me. There are some preferences settings relating to whether it should render while images are downloading, have you checked those?
I'm less happy about then wrapping it in the Mac-style window borders. Hopefully that's temporary.
The main problem I have is that you can't tell it to wait long enough for some pages that take a while to start coming up. You should be able to kill that timeout. But that's rare enough that one would call it "painful".
It even works on Windows 2000 for those of us who have declined to upgrade to "spyware-enhanced" Windows XP and Vista.
I don't need a username and password to get through my proxy, though. Googling around, I see there's quite a few problems with proxy authentication support in various packages, as well as a variety of authentication schemes, so I wouldn't automatically classify authenticating proxies as "basic functionality".
Howdy, potential Mac game developer
You mean the potential Mac game developers who weren't at WWDC because they were developing for Windows now?
We're in the process of changing that. EA is going to port [some of] their games to the Mac. ID software will, too.
Oh, oh, so this was targeted at the potential Mac game developers (who weren't at WWDC) who hadn't heard of Cider, to try and convince someone to really port some games to the Mac.
Gotcha.
I have seen established bands do the opposite of what you're trying to say.
I'm not sure what you're trying to get at here.
My point was that having a recording contract isn't really relevant when a band is getting established. I didn't say anything about whether it was relevant to staying popular. Or were you meaning to reply to the article I was responding to?
They're just going to be running the Windows code calling Win32 and DirectX APIs under some collateral descendant of WINE.
As far as Mac developers are concerned, it's irrelevant. It won't be using or advancing any of the features of OSX in any way that anyone with a reason to attend WWDC could possibly care about. I don't know why they bothered bringing it up.
It was a good idea 10 years ago, but it's a stupid one now.
:(
HFS+ wasn't even a good idea 10 years ago.
Right, I think this is for abrasion and surface cracking, not structural damage.
Find me real examples of bands that have made it strictly off the web with no label backing.
People like Jonathan 'Code Monkey' Coulton are making a living through YouTube backing.
Sure, word of mouth will get around in time but how much time does truely independent artists have until they need to show a profit or be forced to go back to school and get a 9 to 5?
I think you have cause and effect reversed. Artists start out with a 9-5 playing on weekends until they make enough money to make a living off their music. It's around the time that they're beginning to "make it" that the labels get involved.
If they're good, the web just makes it easier for them to get to the point of making a living off their music before the labels swoop down.
What kind of damage to the vascular system are you thinking about?
if time travel were possible someone would have already come back and told us.
If time travel was sufficiently easy for that and you could change the past, every time time travel is invented some people will go back to observe that invention. Every "time" they do that, they will change the past, slightly. "Eventually", one of these changes will prevent that invention of the time machine, and no more time travel will occur. This will happen every time the time machine is invented, so in any hypothetical universe in which it is easy for people to "come back and tell us", time travel will not be invented... not because it's impossible, but because it is.
(Thanks to Larry Niven for this chain of reasoning)
"why the fuck should he care about anything except his bottom line."
If he doesn't care about anything but his bottom line, why should I treat him as anything but an ambulance-chaser?
Last time he found an exploit he reported it publicly and to apple and what did apple do? They claimed the exploit never existed and threatened to sue him over it.
And refusing to follow ethical research practices now provides him no protection from that kind of response. None. Zero. Zip. he is not doing anything useful by behaving this way. All he is doing is further damaging his reputation.
His company relies on their credibility to get them by. A security company without credibility is the most worthless thing ever.
Indeed. Which is why his response is just plain stupid. It doesn't help his reputation, and it hurts his credibility.
All damage, zero benefit.
Whether or not apple *actually* works to fix the bugs is irrelevant
To the people who are affected by his actions, whether Apple fixes the bugs or not is the only thing that is relevant.
Apple basically punished him for doing the right thing. I can't blame him for not doing it again.
How you respond to negative reinforcement is what is called a test of character. Whether you blame him or not, it's important to consider his response to this test when evaluating his vulnerability reports.
It's comparable the way herpes is comparable to AIDS, perhaps, but you still don't want to get herpes. :)
If the applications can access your personal information on your iPhone, or make phone calls, then the sandbox isn't good enough.
Journalling is actually part of the problem. If the catalog is damaged it can't replay the journal, and Disk Utility refuses to rebuild the catalog if the file system is journalled... a catch-22 situation. The way out is to boot single-user and run fsck_hfs with the -rf (or -rdf) options explicitly.
I had this happen to my backup disk for my Macbook Pro just by getting it "too full", so this is still a problem in 10.4.9!
Sorry for my ignorance, but at least isn't there a way to use ext3 partitions for your data?
I don't know, and unfortunately it really doesn't matter... it's basically equivalent to UFS. UFS is far more reliable than HFS+ and Mac OS X has a good version of that. The problem is that the emulation layer Apple uses to get the HFS+ extensions on top of other file systems is incomplete. Unless Apple completes that or changes the software that depends on them so it runs cleanly on standard UNIX file systems we're stuck with HFS+.
Microsoft integrating the browser and the desktop was what caused the flood of exploits in the late '90s.
Apple integrating the browser and the phone services will create a whole new set of security problems.
The WWDC demo showed AJAX apps on the iPhone calling into apps on the iPhone.
I don't see a way that this can be done securely. Jobs says they're secure... but in context he means "it uses SSL". Jobs says they're sandboxed, but if they can place calls and access your local data then everything you care about in the phone is in the sandbox and open for a bad guy to mess around with.
This might keep you from taking over the software radio and hax0ring the cellular system (but it won't keep the real bad guys from doing it), but it won't provide you any useful security.
HFS+ is the only file system I have used on ANY UNIX system in the past quarter of a century where I have had to resort to third-party tools to fix corruption, and where you can corrupt it to that point just by letting it fill up.
Sometimes I really hate it when I'm right. I suggested that this was too good to be true when it was originally posted here. Alas, we're stuck with HFS+ until Apple gets over their NIH issues.
Bug, design flaw, missing feature, doesn't matter... you gotta report it using the tool they give you.
Assassinating your own character so Apple can't do it for you is hardly "the right thing".
There is no concrete reason to think that the company in question has not contacted Apple many times and (due to being ignored) feels such a thing is worthless until/unless it is totally public - much the same as many here feel is the case with Microsoft.
I've contacted Apple many times and recieved no feedback. It would still be totally irresponsible for me to release a security vulnerability before notifying them. Same with Microsoft, Bank of America, Valve, or even the MPAA. It doesn't matter who the responsible organization is, if you don't notify them before announcing the vulnerability you've abandoned any pretense at being a responsible security researcher. There is no excuse whatsoever. None.
OS X has the same problem.
h tml
http://www.scarydevil.com/~peter/io/osx-security.
(and several other notes on http://www.scarydevil.com/~peter/io/ )
As I noted in my comment on larholm.com, this is a long running design flaw in both ahem-mainstream-ahem operating systems. It's really not safe for any browser or other application to trust LaunchServices *or* Windows protocol handler database. The handlers that are suitable for a desktop environment are not generally the ones you want to use from untrusted documents.
Truth is, if the guy had reported the bugs/vulnerabilities to Apple, they more than likely would have done what they always do, wait months to push a fix out or just deny their existence altogether.
... "We don't think Apple will fix it, so we won't wait before announcing it". I could see that (though not agree with it). But "We don't think Apple will fix it, so we won't even TELL them about it" is totally irresponsible. The only "rational" interpretation of that is he actively wants to make it harder to improve the security of Safari.
Did you read the disclosure policy?
Keeping with our disclosure policy, we do not report bugs to Apple.
It doesn't say
Keeping with our disclosure policy, we do not wait for a response to the bugs we report.
If it said that, your comment would make sense. That would be something like
Do you have a better explanation, or a justification for that approach?
More options never hurt you, so why are you complaining?
Heck, I wish Microsoft was still shipping IE for the Macintosh.