Seriously, I welcome the fact that I can go and instantly buy a single song I heard and liked for 99 cents. The one thing that upsets me is that just because someone's being all bitchy about any DRM, this solution is possibly in jeopardy. If you want the song without DRM, go get it on some P2P network. Is there any song that's available on Apple's store that's not already available ripped straight from CD to MP3/OGG/MP4/WMA? The only thing this guy's doing is weakening Apple's ability to assuage the RIAA's fears about digital distribution, threatening the distribution medium and process altogether.
Remember the good old days of HomeRF? Intel backed that standard of wireless networking with all its multibillion-dollar muscle. And it lost. Apple put 802.11b in all of its systems, and within the next year or two the battle was won.
And what about USB in the early days? I can't cite any specifics, but I think I remember that Intel had shipped it on motherboards for quite a while, and was about to stop using USB since there were no devices. Then out comes the iMac with USB only for serial devices, and it caught on. Plus, USB 2.0 was supposed to kill firewire, but it hasn't happened yet.
Well, Apple's done the same with Bluetooth. Every system is available with Bluetooth built-in now. I'd bet it'll be at least available built-in on PC's in the next year, and standard the year after that.
Kinda sad at the ripe old age of 26, but I find myself thinking that I don't understand why these crazy kids are doing this, and what do they really get out of it? I keep my iPod snuggled up in my belt holster protected (and protecting me) from all the crazies I have to walk by on the streets.
Where did you get the idea that it's bad ergonomically to look up at your screen? In fact that's the proper way to do it. At least that's what I learned from SGI's Ergonomics Center. And that says alot from a company that truly cares more about employee comfort and happiness than product development.
Just think about it though. Is it better to be hunched down looking at a monitor, or sitting upright looking straight ahead (or slightly up) at a monitor so you can have proper posture and not bend forward?
They lock customers into expensive, proprietary software AND hardware.
How are customers locked? If anything, it's an expression of choice that you have the opportunity to buy an Apple computer. Or a Sun workstation, or anything else you want or can afford.
Please elaborate on this hideous "locking in" that Apple's forcing on millions of users each year.
I got a call a few weeks back, Saturday morning at 9AM from AT&T wanting to sign me up for long distance service. I quickly whipped out the "I don't have long distance, don't want it, have a no-pick on my service, and want you to place me on your do-not-call list immediately".
The woman on the other end got very unpleasant very quickly, and asked "Is this [not-my-name]?" I told her that I was not that person, and that this is my phone number. She very quickly (and gleefully I might add) told me that if I was not the person whose name she had, then I was not authorized to place this (MY) phone number on a do-not-call list and that I would continue to receive solicitation calls until I signed up for long distance with AT&T. Then she hung up on me.
That fucking pissed me off. The follow-up call to their customer service to file a complaint and add myself to the do-not-call list was not much better. After about 5 minutes of arguing with the guy that if I had an emergency, I would either dial 911 or go to a neighbor's phone, I finally just kept repeating "You're refusing to add me to your do-not-call list. Let me speak to your manager immediately." Took about 15 times of that with me getting louder and louder each time before he put me on hold for 30 seconds. Then the same guy came back to "confirm my information for the do-not-call list." He then proceeded to mis-speak my number not once, not twice, but 10 times, trying to get me to "confirm" a different number. Only after threatening with the manager bit again did he successfully repeat my number.
As far as I'm concerned, these fuckers should roast in their own shit. About time the government is giving us the power to fight back, and I'm really looking forward to my first $11,000 bonus check from a telemarketer who refused to follow the DNC list.
I'll never understand how they believe that infuriating the potential customer will successfully gain new business. And given the attitude I've gotten from telemarketers, I can guarantee you that the calls are NOT monitored for quality assurance.
One more example where @stake allows time to fix the issue before going public.....
This @stake advisory was published on July 12, 2002. Under the section "Vendor Response", it states that: "Vendor was notified of these issues on May 28, 2002."
That's pretty much a month and a half advanced notice before going public. Again, it appears that since Pingtel acknowledged their "accomplishment" with "a point by point
response to the @stake advisory" they held off with the announcement. Granted, this is a completely different platform, different security implications, etc. But still, the signs point to someone throwing a temper tantrum and going very public very early, with subtle yet noticable allegations that the Apple security fix would require a $129 purchase.
According to this advisory at @stake, they have at least once withheld release of a vulnerability until affected systems could be patched. This paragraph kinda sums it up:
Due to the severity of this vulnerability @stake has confirmed that they will not be releasing this information publicly on their research page (http://www.atstake.com/research/) until Nokia has confirmed that all affected operators have fully patched and tested all affected elements. However @stake would ideally like to release this information no later than 1st June 2003.
So it does seem a little childish to just jump out and announce a vulnerability to the world.... My guess (yeah, it's just the little scenario I've worked up in my mind) is that @stake wanted to "work with Apple" and release a joint press-release type scenario on squashing a vulnerability. Apple of course doesn't want to give credit to anyone for anything (not trolling, just stating an observation), and refuses the offer. @stake gets pissed and blares this up and down the board, issuing press releases, contacting specific non-Apple-loving reporters, etc. You know why I think this? From the same advisory linked above is this self-serving text:
@stake worked with Nokia to ensure that all affected operators where informed and upgraded and only after this time did @stake agree to
release this information to the public.
Do you really think that Nokia let @stake get into their code, make security changes, and essentially be a full partner in the effort to crush this vulnerability? I don't.
It may seem like Apple leaves users out in the cold, but the way I see it is different. What Apple does is introduce new must-have technology, thus encouraging people to upgrade. When that newer tech isn't back-ported to a previous system, people feel left behind. All of a sudden, in light of the new improved shiny goodness the minor stability and security updates are often met with cries of "if they updated why don't they just give me too?"
Perfect example would be the old iPod versus the new iPod. Some people bought old iPods shortly before the new ones were released. Yeah, there have been updates. But they didn't add features like On-The-Go playlists, or games, or any of the other little goodies. So therefore the owners of the older iPods feel abandoned since they aren't getting any cool updates, just routine updates.
Release: 10.28.03 Name: Long argv[] Buffer Overflow Application: Mac OS X Platforms: Mac OS X 10.2.8 and below Severity: Attacker can crash Mac OS X and possibly execute commands as root Author: Matt Miller and Dave G. Overview: It is possible to cause the Mac OS X kernel to crash by specifying a long command line argument. While this primarily affects local users there may be conditions where this situation is remotely exploitable if a program which receives network input spawns another process with user input. It is possible to use this condition to dump small portions of memory back to an attacker.
Release: 10.28.03 Name: Systemic Insecure File Permissions Application: Finder (and many others) Platforms: Mac OS X 10.2.8 and below Severity: High Author: Dave G. Overview: Many applications are installed onto Mac OS X systems with insecure file permissions. This is due to two distinct classes of problems:
A security issue regarding DMG files managed by Mac OS X Insecure file permissions packaged by different vendors The result is that many of the files and directories that compose various applications are globally writable. This allows attackers with filesystem access to an OS X machine to replace binaries and obtain additional privileges from unsuspecting users, who may run the replaced version of the binary.
Release: 10.28.03 Name: Arbitrary File Overwrite via Core Files Application: Kernel Platforms: Mac OS X 10.2.8 and below Severity: High Author: Dave G. Overview: In the event a system is running with core files enabled, attackers with interactive shell access can overwrite arbitrary files, and read core files created by root owned processes. This may result in sensitive information like authentication credentials being compromised.
Yeah, they're bugs, and yeah, it's possible. But don't these phrases kinda limit the scope?
"While this primarily affects local users"
"This allows attackers with filesystem access"
"attackers with interactive shell access"
So to me this doesn't mean the end of the world, or that all my data is wide open and exploitable from the public internet. I'm guessing they'll patch it when they can, and the fact that it's patched in X.3 probably means they're using a different release of the software in question that is inherently invulnerable to these issues.
I've read it and am using the information as a basis for developing a wireless security (yeah I know it's never completely secure) solution. If nothing else, it's a centralized resource explaining the major protocols and issues involved. It gives you a great overview of which avenues to explore, and then take it to a test environment and see what works for you......
Look through the pictures. Several of them have the Sun Microsystems logo prominently displayed.... Looks like a grassroots marketing campaign led by the Gnome population of Massachusetts.
Where did you hear that Apple has "significant DRM"? I've been keeping up with all the rumor sites and haven't seen anything like that... there was a mention of not making it seemless to copy files from computer to computer.....
If I were the customer and got charged out the ass because of a worm that had nothing to do with my site (I wasn't infected), I'd be pissed and take my business elsewhere in a heartbeat. So it's all a matter of weighing the potential future revenue by keeping the customer happy against the quick one-time revenue of billing for huge random un-preventable spikes.
I find it interesting that the information comes from an unnamed source at an unnamed company, and no one will comment on it. Perfect food for the rumor sites, but the LA Times and San Jose Mercury?
Does it really make a difference if you get an extra 2 frames per second on your game? I understand if you're doing super high end visualization where it's necessary, but at that point you can afford to purchase 5 different $500 cards and compare for yourself, right?
Example - Sniffer. Great piece of software. Does everything you could want. But it's so confusing with random tabs all over the place, buttons that are similar but do different tasks in different parts of the program, and completely lacking in intuitive interface....
For the average American, you can't have anything with versions like 16.5 or E17. They just don't get it, and don't want to get it. They like something simple like "XP" - whether or not it means anything to them it means more than a version number.
For Linux to survive among the masses it must be simple to understand in name, as well as simple to use. Just tell Average Joe he has a choice between Redhat, Mandrake, Yellow Dog, SuSE, etc. and try to explain the differences (journaling filesystems, different compiler revisions, etc). Watch his face glaze over as he walks toward the pretty MSN butterfly.
OK, I've been a mac user forever, since my Mac SE. I've never minded the extra price for a better (IMHO) machine and OS. Yeah, I thought it was lame when they yanked iTools and started charging for it, but hey, I like their stuff so I supported them and signed up. But this is just getting old. Next, they'll start charging a subscription for routine OS / security update service through SoftwareUpdate, huh? Charging like this is only going to create an open market for pirated software - especially since they don't have any type of copy protection scheme on any of their software.
Sounds like the books O'Reilly publishes - the Missing Manual series. Software released with minimal "help" documentation, so someone comes along and actually makes a book about it.
Or try to learn Checkpoint FW-1 NG with documentation they provide. You have to go to a multi-thousand dollar week long training just to get a decent, helpful manual.
Slashdot Mirror
I get about half the mileage listed on a 2000 Dodge Ram 2500 HD 4x4.
If you go back in time to 1999, companies will pay you a nice salary to come in, be a warm body in a chair, and go to lots and lots of training.
Nowadays I'm surprised you can find even 100 job postings nationwide.
Seriously, I welcome the fact that I can go and instantly buy a single song I heard and liked for 99 cents. The one thing that upsets me is that just because someone's being all bitchy about any DRM, this solution is possibly in jeopardy. If you want the song without DRM, go get it on some P2P network. Is there any song that's available on Apple's store that's not already available ripped straight from CD to MP3/OGG/MP4/WMA? The only thing this guy's doing is weakening Apple's ability to assuage the RIAA's fears about digital distribution, threatening the distribution medium and process altogether.
Remember the good old days of HomeRF? Intel backed that standard of wireless networking with all its multibillion-dollar muscle. And it lost. Apple put 802.11b in all of its systems, and within the next year or two the battle was won.
And what about USB in the early days? I can't cite any specifics, but I think I remember that Intel had shipped it on motherboards for quite a while, and was about to stop using USB since there were no devices. Then out comes the iMac with USB only for serial devices, and it caught on. Plus, USB 2.0 was supposed to kill firewire, but it hasn't happened yet.
Well, Apple's done the same with Bluetooth. Every system is available with Bluetooth built-in now. I'd bet it'll be at least available built-in on PC's in the next year, and standard the year after that.
Kinda sad at the ripe old age of 26, but I find myself thinking that I don't understand why these crazy kids are doing this, and what do they really get out of it? I keep my iPod snuggled up in my belt holster protected (and protecting me) from all the crazies I have to walk by on the streets.
Ergonomically this is not a good thing.
Where did you get the idea that it's bad ergonomically to look up at your screen? In fact that's the proper way to do it. At least that's what I learned from SGI's Ergonomics Center. And that says alot from a company that truly cares more about employee comfort and happiness than product development.
Just think about it though. Is it better to be hunched down looking at a monitor, or sitting upright looking straight ahead (or slightly up) at a monitor so you can have proper posture and not bend forward?
They lock customers into expensive, proprietary software AND hardware.
How are customers locked? If anything, it's an expression of choice that you have the opportunity to buy an Apple computer. Or a Sun workstation, or anything else you want or can afford.
Please elaborate on this hideous "locking in" that Apple's forcing on millions of users each year.
I got a call a few weeks back, Saturday morning at 9AM from AT&T wanting to sign me up for long distance service. I quickly whipped out the "I don't have long distance, don't want it, have a no-pick on my service, and want you to place me on your do-not-call list immediately".
The woman on the other end got very unpleasant very quickly, and asked "Is this [not-my-name]?" I told her that I was not that person, and that this is my phone number. She very quickly (and gleefully I might add) told me that if I was not the person whose name she had, then I was not authorized to place this (MY) phone number on a do-not-call list and that I would continue to receive solicitation calls until I signed up for long distance with AT&T. Then she hung up on me.
That fucking pissed me off. The follow-up call to their customer service to file a complaint and add myself to the do-not-call list was not much better. After about 5 minutes of arguing with the guy that if I had an emergency, I would either dial 911 or go to a neighbor's phone, I finally just kept repeating "You're refusing to add me to your do-not-call list. Let me speak to your manager immediately." Took about 15 times of that with me getting louder and louder each time before he put me on hold for 30 seconds. Then the same guy came back to "confirm my information for the do-not-call list." He then proceeded to mis-speak my number not once, not twice, but 10 times, trying to get me to "confirm" a different number. Only after threatening with the manager bit again did he successfully repeat my number.
As far as I'm concerned, these fuckers should roast in their own shit. About time the government is giving us the power to fight back, and I'm really looking forward to my first $11,000 bonus check from a telemarketer who refused to follow the DNC list.
I'll never understand how they believe that infuriating the potential customer will successfully gain new business. And given the attitude I've gotten from telemarketers, I can guarantee you that the calls are NOT monitored for quality assurance.
I didn't see the word "beleagured" anywhere in the security advisories.
We are talking about Apple Computer, right? I often get them confused with the Beatles' record label, Apple Corps, Ltd.
One more example where @stake allows time to fix the issue before going public.....
This @stake advisory was published on July 12, 2002. Under the section "Vendor Response", it states that: "Vendor was notified of these issues on May 28, 2002."
That's pretty much a month and a half advanced notice before going public. Again, it appears that since Pingtel acknowledged their "accomplishment" with "a point by point response to the @stake advisory" they held off with the announcement. Granted, this is a completely different platform, different security implications, etc. But still, the signs point to someone throwing a temper tantrum and going very public very early, with subtle yet noticable allegations that the Apple security fix would require a $129 purchase.
According to this advisory at @stake, they have at least once withheld release of a vulnerability until affected systems could be patched. This paragraph kinda sums it up:
Due to the severity of this vulnerability @stake has confirmed that they will not be releasing this information publicly on their research page (http://www.atstake.com/research/) until Nokia has confirmed that all affected operators have fully patched and tested all affected elements. However @stake would ideally like to release this information no later than 1st June 2003.
So it does seem a little childish to just jump out and announce a vulnerability to the world.... My guess (yeah, it's just the little scenario I've worked up in my mind) is that @stake wanted to "work with Apple" and release a joint press-release type scenario on squashing a vulnerability. Apple of course doesn't want to give credit to anyone for anything (not trolling, just stating an observation), and refuses the offer. @stake gets pissed and blares this up and down the board, issuing press releases, contacting specific non-Apple-loving reporters, etc. You know why I think this? From the same advisory linked above is this self-serving text:
@stake worked with Nokia to ensure that all affected operators where informed and upgraded and only after this time did @stake agree to release this information to the public.
Do you really think that Nokia let @stake get into their code, make security changes, and essentially be a full partner in the effort to crush this vulnerability? I don't.
It may seem like Apple leaves users out in the cold, but the way I see it is different. What Apple does is introduce new must-have technology, thus encouraging people to upgrade. When that newer tech isn't back-ported to a previous system, people feel left behind. All of a sudden, in light of the new improved shiny goodness the minor stability and security updates are often met with cries of "if they updated why don't they just give me too?"
Perfect example would be the old iPod versus the new iPod. Some people bought old iPods shortly before the new ones were released. Yeah, there have been updates. But they didn't add features like On-The-Go playlists, or games, or any of the other little goodies. So therefore the owners of the older iPods feel abandoned since they aren't getting any cool updates, just routine updates.
From the site at @stake....
Release: 10.28.03
Name: Long argv[] Buffer Overflow
Application: Mac OS X
Platforms: Mac OS X 10.2.8 and below
Severity: Attacker can crash Mac OS X and possibly execute commands as root
Author: Matt Miller and Dave G.
Overview: It is possible to cause the Mac OS X kernel to crash by specifying a long command line argument. While this primarily affects local users there may be conditions where this situation is remotely exploitable if a program which receives network input spawns another process with user input. It is possible to use this condition to dump small portions of memory back to an attacker.
Release: 10.28.03
Name: Systemic Insecure File Permissions
Application: Finder (and many others)
Platforms: Mac OS X 10.2.8 and below
Severity: High
Author: Dave G.
Overview: Many applications are installed onto Mac OS X systems with insecure file permissions. This is due to two distinct classes of problems:
A security issue regarding DMG files managed by Mac OS X
Insecure file permissions packaged by different vendors
The result is that many of the files and directories that compose various applications are globally writable. This allows attackers with filesystem access to an OS X machine to replace binaries and obtain additional privileges from unsuspecting users, who may run the replaced version of the binary.
Release: 10.28.03
Name: Arbitrary File Overwrite via Core Files
Application: Kernel
Platforms: Mac OS X 10.2.8 and below
Severity: High
Author: Dave G.
Overview: In the event a system is running with core files enabled, attackers with interactive shell access can overwrite arbitrary files, and read core files created by root owned processes. This may result in sensitive information like authentication credentials being compromised.
Yeah, they're bugs, and yeah, it's possible. But don't these phrases kinda limit the scope?
"While this primarily affects local users"
"This allows attackers with filesystem access"
"attackers with interactive shell access"
So to me this doesn't mean the end of the world, or that all my data is wide open and exploitable from the public internet. I'm guessing they'll patch it when they can, and the fact that it's patched in X.3 probably means they're using a different release of the software in question that is inherently invulnerable to these issues.
I've read it and am using the information as a basis for developing a wireless security (yeah I know it's never completely secure) solution. If nothing else, it's a centralized resource explaining the major protocols and issues involved. It gives you a great overview of which avenues to explore, and then take it to a test environment and see what works for you......
Look through the pictures. Several of them have the Sun Microsystems logo prominently displayed.... Looks like a grassroots marketing campaign led by the Gnome population of Massachusetts.
Where did you hear that Apple has "significant DRM"? I've been keeping up with all the rumor sites and haven't seen anything like that... there was a mention of not making it seemless to copy files from computer to computer.....
If I were the customer and got charged out the ass because of a worm that had nothing to do with my site (I wasn't infected), I'd be pissed and take my business elsewhere in a heartbeat. So it's all a matter of weighing the potential future revenue by keeping the customer happy against the quick one-time revenue of billing for huge random un-preventable spikes.
Didn't we learn - if your developer is complaining that he doesn't get paid enough, you'll have dinosaurs eating your customers soon enough?
I find it interesting that the information comes from an unnamed source at an unnamed company, and no one will comment on it. Perfect food for the rumor sites, but the LA Times and San Jose Mercury?
Does it really make a difference if you get an extra 2 frames per second on your game? I understand if you're doing super high end visualization where it's necessary, but at that point you can afford to purchase 5 different $500 cards and compare for yourself, right?
Example - Sniffer. Great piece of software. Does everything you could want. But it's so confusing with random tabs all over the place, buttons that are similar but do different tasks in different parts of the program, and completely lacking in intuitive interface....
Windows has a 95% market share..... coincidence?
For the average American, you can't have anything with versions like 16.5 or E17. They just don't get it, and don't want to get it. They like something simple like "XP" - whether or not it means anything to them it means more than a version number.
For Linux to survive among the masses it must be simple to understand in name, as well as simple to use. Just tell Average Joe he has a choice between Redhat, Mandrake, Yellow Dog, SuSE, etc. and try to explain the differences (journaling filesystems, different compiler revisions, etc). Watch his face glaze over as he walks toward the pretty MSN butterfly.
OK, I've been a mac user forever, since my Mac SE. I've never minded the extra price for a better (IMHO) machine and OS. Yeah, I thought it was lame when they yanked iTools and started charging for it, but hey, I like their stuff so I supported them and signed up. But this is just getting old. Next, they'll start charging a subscription for routine OS / security update service through SoftwareUpdate, huh? Charging like this is only going to create an open market for pirated software - especially since they don't have any type of copy protection scheme on any of their software.
Sounds like the books O'Reilly publishes - the Missing Manual series. Software released with minimal "help" documentation, so someone comes along and actually makes a book about it.
Or try to learn Checkpoint FW-1 NG with documentation they provide. You have to go to a multi-thousand dollar week long training just to get a decent, helpful manual.