I've blogged a couple of entries about Michael Moore. Needless to say, I despise the guy. And I am a democrat who has financially contributed to John Kerry's campaign since day 1 and will continue to do so until I reach my $2000 limit.
My problem with Michael Moore is that he epitomizes the campaign that was being run by Howard Dean: ride the wave of American frustration and self-loathing to blame absolutely all of the world's woes on one person: George Bush. Because it is far more appealing to address complex issues with very simple rants. In my eyes, such rhetoric belongs in stand-up comedy acts, Dennis Miller Live, and Bill Maher. NOT IN A DEMOCRATIC POLITICAL PLATFORM.
Details about what I mean at my blog URL... that is if someone actually gives a shit what i think.
to clarify and chill myself out a little bit (prozac supplies are low this month:( ), i see two issues:
The fact that Help Viewer.app allows arbitrary arguments to the runscript parameter. This is the specific flaw this article is pointing out. Fixing this downgrades my next point to mere annoyance versus potentially really bad security hole.
Safari's implementation of the HTTP 302 response should be carefully analyzed and only allow cross-protocol redirection if it is absolutely needed. As previously outlined, http <--> https comes to mind, possibly http[s] --> ftp. That's not an OS-level issue, that's a browser/browser framework (WebKit) issue. Addressing this issue should add a decent layer of security: If other applications that are mapped to some other protocols have security flaws, it'll be a little bit harder to trigger them from web pages: you won't be able to obfuscate those bad URLs behind 302 redirects. Most public forums allow users to post URLs. A user can simply do what I did in the parent post: Post an apparently harmless link in the http protocol, but that link could redirect you to something evil in a protocol that is mapped to a securely flawed application. Most public forums do not allow scripting to be embedded in posts, so unless you go surfing some unusual, untrusted site, the situation is not as bad.
Finally a co-worker (and other people in this thread I think) pointed me to this great little application: MoreInternet. I really wish the dude would put-up a PayPal link on his home page. Use this app to review which protocols are mapped to which applications. Use that to explore potentially new security holes and/or replace known vulnerable applications with some secure dummy app in a given protocol mapping.
tell me if this does anything. i'm trying to execute ls -l. It should at least launch the help viewer. It does for me and a couple of friends at work. This is bad. really really bad.
The security issue is not a browser issue, it is an operating system issue, more specifically, Mac OS X's protocol handler. Apparently, various protocols are registered to trigger various apps/functionality. Apple needs take long, hard look at each single one of them and plug potential security holes.
DAVE HYATT PLEASE HEAR ME
For one, a web browser's handling of the HTTP 302 response code should have thorough security built-in: NEVER, EVER execute a 302 response whose Location: field value is of a protocol that is different from the originating protocol, EXCEPT in a few cases: it should be ok for http to redirect to https, and vice-versa, maybe explore what should be done for http to ftp. http and https are the SAME protocol, but over a different TCP transport. This is why it still makes sense to allow redirection between the two. You should however be very very very weary of allowing any other sort of cross-protocol redirection.
Looking at the example link above, I've got a URL that belongs to the http:// protocol sending an HTTP 302 response (via tinyurl) to the web browser whose Location: header value belongs in the help:// protocol. This is bad. really really REALLY REALLY BAD. It further exasperates the importance of this security flaw.
APPLE, DAVE HYATT, I IMPLORE YOU, PLEASE FIX THIS ISSUE AT ONCE
Back in 2001, when i got a 400Mhz TiBook and some OS X 10.1 CDs, the first thing i did after wiping the drive and installing 10.1 from scratch, was to create two users: an admin user and a standard user with zero admin privileges.
I have upgraded all the way through today's system, Panther, with a hard drive transfer in the middle from my old TiBook to this new AlBook. Fast user switching and on-the-spot authentication for certain tasks make adminning a breeze while I always remain in my non-privileged user.
The fact still remains that i would get really damned pissed to lose all my shit in home directory, that's for sure. But this is where rsync, cron and anacron are my friends. At work and at home I have a remote share to which I rsync the contents of my home directory every day. But yeah, not many users do that. heh.
well the deal was very short-lived, it was like a special the reseller-dude at the mall had access to. with taxes, Catherine fees and all that stuff my bill comes right at $60. But yeah he was telling me that normally it's only 600 minutes per month. i got very lucky.
Every month i get a picture of Catherine Zeta-Jones with my mobile phone bill. As far as i'm concerned they could charge me another $20, I wouldn't peep. Rename it to Catherine fee. She's like the most beautiful woman on the planet *and* I get her in the mail every month! OMG.
Joking aside, i'm insanely happy with the t-mobile service. I've found their customer service stellar and the deal i have is pretty sweet: 1000 anytime minutes + unlimited nights and weekends: $40/month. I'm shellin' another $10/month for unlimited t-zones, which gives me unlimited texting, email sending/receiving (pictures, sounds and all), basically unlimited data transfer.
you really are talking out your rear-end... I just wanted to make sure you were aware of this fact. go thru a few of my past posts if u disagree with me.
hey it's funny, i used to have the same sense of security you did with my debian distro, and would run apt-get update and upgrade every day also. Until somehow i found my box owned big time when i woke up for a piss at 4am and found my shell frozen. Not sure how they got in. I promptly turned it off, since i suck at forensics and i don't need it running anymore, it's been off since then. Don't get too cocky, you could very-well get bitten in the ass. If the debian maintainers fail to deliver a timely security update, it's not that they have any obligation to you. With Apple, they *try* to be extra careful since their rep' is on the line. In linux world, the only way to truly maintain your system's security is to read advisories yourself and manually apply patches. Same rule should apply to all maintainers of computer systems that actually run services, but most macs are end-user desktop platforms not running as servers since absolutely all ports are turned-off on a default installation. so it's okay for those mac users to wait for apple-pushed software updates. it's not okay for you to solely rely on apt-get because i'm betting you are at least running httpd.
a fresh new installation of OS X actually has zero ports opened. Not one. It's been that way since early 10.0 betas all the way to today's Panther. Do a fresh installation of OS X, then from another box on your local network run nmap against it, you'll get ZERO hits. Not a single port is turned-on. Which is why Kieren's article was blown way out of proportion, and obviously out to seek sensationalist headlines. And this is also why the author's claims that the OS X holes make Sasser look like nothing are absolutely preposterous. But hey maybe i'm missing something so feel free to correct me. Even if a worm had been developed for OS X and OS X systems were 95% of all desktop systems in the world, there's just no way the worm could have spread because of those 95% about 95% would have ALL services disabled by default. All infections would have been rapidly contained. Regardless, Apple did promptly release patches as actual security updates. It doesn't take a Phd to understand that if your operating system wants you to install a security update you should install it. If you don't, then don't come-a-whining when you get infected.
so really, what's everyone getting their panties all in a bunch against Apple for?
Furthermore there were a few XP exploits that recently leveraged a hole in *windows* firewall software. It's asinine. Not having any port turned-on is actually MORE secure than having a firewall actively filter TCP/IP traffic. Because traffic actually still goes thru the firewall instead of being altogether ignored. Running software firewall on an end-user box and expecting this to be your primary line of defense is still an insanely retarded thing to do. You should always seek to gain access to networks that are already protected from an infrastructure standpoint, that filter traffic *for you*. As far as i'm concerned the only decent way of doing this from a regular user standpoint is to use a broadband gateway running as an actual one-way gateway, not a router. Local network translation. If you wanna run firewall software on your wintel laptop, fine, just know it's simply smarter to know what you're running and turn it off if you don't absolutely need it .
next, as far as overall security is concerned, the BSD Unix heritage of Mac OS X, the underlying Darwin layer is the only thing that truly matters in terms of the most important layers of security. Aqua is absolutely irrelevant in the whole security equation, so I'm failing to see the relevance of your rambling on the subject. You're not exactly teaching anything to anyone when reminding us that the underlying unix core is one of many components of OS X.
Finally, I don't know where you pull claims regarding not being up to date on BSD security fixes. Apple WORKS VERY CLOSELY with BSD and the overall open-source community. Security issues are publicly discussed on security-related mailing lists, which are all searchable thru google. Security issues that affect BSD affect OS X at the exact same time, both are patched and released at the same time.
i agree with you. the fact that you only stick to open-source software brings to light the simplest, yet most effective of all security measures: origin of software.
While it's silly to deride the guy because he trusted the icon and the file size looked alright, the thing he should never have done in the first place was acquire a piece of software over LimeWire. Most software updates are available thru OS X's software update mechanism, the vendor's website, and/or from the application itself. If you acquire software from such a wildly uncontrolled source as LimeWire, you're asking for trouble and you gotta be ready to pay the price.
If I was to be doing any significant amount of random software downloading from sources i know i cannot possibly trust, I would leverage Panther's nifty Fast User Switching ability after creating a brand new OS X user with ABSOLUTELY NO administrative access and as many restrictions i can enable in the preferences pane upon user creation. Once wearing this super-strong unix condom, I would then go on my slutty way downloading and trying random shit all-day long. I execute a trojan? no biggie. i ain't got shit in my home directory, since i'm running as a unix user that does not have critical access to the system, the only thing i can possibly hurt is my home directory. As i would try various pieces of software and determine a given piece of ware is "safe" i would "drag" its package to my system-wide applications folder, at which point Panther would notify me that i'm not allowed to do that, that is, unless i'd notice and choose to click on that little button that says "authenticate" (very VERY nice thing about Panther) so i can enter some admin credentials to proceed with this action.
ah... the wonders of a modern operating system with true, strong concepts of user-level security and restrictions.
XAML is windows-only and is a lame attempt at reinventing a wheel that the Mozilla working group has so nicely invented: The Mozilla cross-platform application framework. XAML would restrict apps to windows.
furthermore, i consider XAML to be a very dangerous technology as far as security is concerned. It looks to me like it attempts to further blur the line between web "pages" and full-blown applications running on the client-side with no permissions restrictions.
lemme put it this way: it is okay for "web pages" to embrace some technologies that enable various compelling user-interface paradigms to further enrich the browsing experience: DOM/CSS/JavaScript (DHTML), Flash and whatnot. As long as they cleanly operate within the browser sandbox.
It is okay for applications and application frameworks to embrace and build-upon web-based technologies to further enrich user interfaces that should inherit from web-browsing user-interface paradigms: Mozilla Application Framework, KHTML/WebKit. Such applications are real applications which users must go thru the conscious steps of installing, with the inherent knowledge that an application could actually hurt their computer system. Any application that works within this model is standalone, and was installed within the constraints of the operating system.
What microsoft appears to be doing with XAML is to push ActiveX one step further, and instead of blurring the line between a web-based document and a full-blown computer application, simply COMPLETELY REMOVING THIS SEPARATION. You'd be looking at running applications simply by pointing your application to a web-based URL: http://widgets.com/evilApp.xaml. Security implications of this are HUGE and horrific when considering microsoft's past track record.
I believe microsoft sees Mozilla as a threat. XAML is their answer to that threat. That blog is attempting to seed brains in that direction.
consider the fact that today, to upgrade windows, you are trained to go to http://www.windowsupdate.com/ and watch your whole upgrade happen INSIDE of your web browser. Forget downloading an executable and running it or having a separate application that is dedicated to software updates. NAH. let's just teach users that running software from your browser is... OKAY. So next time they see an ActiveX prompt about allowing some code from Gator/Claria, Inc. to run, they'll think that's OKAY too. Let's really remove all layers of security and further open ourselves to stupid worm-spawning trojans.
i'll stop here. windows appalls me. if it doesn't appall you then you've never had to support armies of newbies running windoz, starting with your own family.
How many network ports are open when you install Mac OS X? NONE. not one. buy a mac, turn it on, put it on some network, run any port-sniffing utility against it, such as nmap from another machine, guess how many hits you get back? NONE. NOT ONE.
Now. Look at windows. for years m$ has wanted to facilitate the life of LAZY corporate network administrators and enable all kinds of services out of the box upon installing their operating system. This behavior has been "inherited" even in the more "personal" versions of windows.
NO OPERATING SYSTEM IS SECURE IN ABSOLUTE TERMS. Apple never made such claims, neither are mac os x users fooled into believing so. Security vulnerabilities are a fact of computing.
The key here is that security works in LAYERS. Just like Ogres and Onions, security has layers: Network, Operating System, Applications, User Education among a few.
Various practices promotebetter security at various layers. Apple has consistently been better at this than Microsoft ever has. Let's look at a few random considerations:
In OS X, software updates are handled thru a dedicated software update program that functions within user-level permission constraints. On Windows, you open your fucking web browser and go to windowsupdate.com to upgrade your computer, while the software installation happens INSIDE THE FUCKING BROWSER, all this made possible thru this security-holes-ridden framework called ActiveX. Now, try to educate users to NOT click yes on ActiveX warnings when they're about to download "this really cool screen saver"?
Most windows installations have for years at least enabled file sharing by default, and various pieces of other crap running on port 139. Web sharing, IIS, web-based admin, RPC, the list goes on.
The core pieces of OS X that are affected by security considerations are open-source, part of the Darwin framework. While security holes will always be popping-up, this approach to operating system development and maintenance promotes maturity and better security.
Since Apple has fairly nicely layered its security model in its operating system, impact of security holes are typically less dramatic. Most of what this article is accusing Apple of is not publicly scream "OH MY FUCKING GOSH THERE ARE A BUNCH OF HOLES IN OUR SYSTEM". Indeed, they sometimes put a bit of a spin and don't feed rumors any further. Just because Apple doesn't return calls from sensational-headline-hungry journalists, does not mean they're not actively working with the people they should be working with: Security experts. Just look at Apple's release notes. They're doing exactly what they should be doing: citing advisories outlining the security holes for anybody to look them up, and publicly acknowledging and thanking the people who found them.
Kieren McCarthy's article is ridden with fallacies, here's one of my favorites: "In other words, it makes Microsoft's current Sasser problems look no more than a nasty nip". I rest my case.
Being a native french speaker, albeit a U.S. resident for almost a decade, I've found many of the english internet terms to stick to the french language. "Chat", is almost always used in place of "conversation electronique". I've seen "e-Mail" used more often than "courrier electronique". Believe me, the french can deal with english app names. Photoshop. Illustrator. Flash. So can germans and japanese. Y'a pas de malaise.
I'll have to second this remark. As far as i'm concerned, windows upgrades have all been SSDS (Same Shit Different Skin). I used NT4 and 2000 for quite a while, switched to Mac OS 10.1 right 'round when XP came out.
Yesterday I installed a LinkSys 802.11b/g WiFi PCCard on my GF's work laptop, and lemme tell you, there is nothing friendly about this operating system. Networking Setup in windows SIMPLY SUCKS WILD NUTS, and i find everything about the UI absolutely retarded and user-unfriendly. In contrast, I still have an installation of win2k in virtual PC and I find it more usable than XP. It's hart to explain, but XP keeps popping stupid help boxes that clutter the already-constricted UI, it's in my face, it sucks. i know my GF did not enable that shit, so it must have been in there by default. Upon installing the LinkSys wireless card thru the installer that came on the CDROM, her computer was able to communicate with the LinkSys WiFi Access Point, *BUT* was not able to get connected to the LAN upon sending out DHCP requests. The LinkSys AP admin console did show her laptop in the list of active DHCP users shortly after her laptop would boot (i kept clearing the list so i could see it show-up), but the laptop itself kept failing registering an IP address, even after successive ipconfig/renew . ipconfig kept showing a self-assigned ip address. RE-TAR-DED. After much tinkering I solved the problem by disabling all network adapters for this wireless card, except TCP/IP. I'm sure one of them was causing some conflict, I didn't care to isolate which precise one it was, I just saw the shit working, and was like "cool, i'm fucking done".
OS X, even since 10.0.x and 10.1, has always very nicely laid out the various network ports available for use and configuration. It just makes sense. Of course it helps that WiFi cards already come pre-installed on most systems. Why to PC laptops insist on not shipping with a WiFi card inside the chassis, instead of resorting to an ugly protruding PC Card? Can't we find a better use for a PC Card slot?
hey fair enough, but i'll tell you what: as soon as people no-longer feel they can confidently make fair-use of their online-purchased commercial music, they'll stop using those services. Apple is not sneaking anything up on anyone. Rules are clearly stated up-front. People are mixing together DRM associated with online music and DMCA laws, and bagging it all together as one big evil thing. A DRM Scheme is supposed to promote copyright protection within a framework that has properly educated the user as to what the scheme will allow them to do and not do. When properly implemented, it would make sense to invoke the DMCA to prosecute circumventions of that scheme.
I would say that the DRM scheme implemented in iTMS is one of the very few schemes that should be protected by laws under the DMCA. The problem with DMCA is that it is abused left and right by corporations and various software and hardware companies to actually limit activities that should fall under fair-use. For example the RIAA will sue your ass if you're caught trying to bypass encryption that was snuck onto an Audio CD without your prior knowledge when buying the CD. That, in my opinion is abuse of DMCA, because the consumer was not properly educated in the first place.
People tend to put all acronyms in the same "evil" bag. DRM CAN be fair. And I challenge anyone to prove me Apple's DRM scheme isn't, in fact, fair.
retarded? holy shit. read my other posts i've addressed this way too many times already.
your analogy, like most analogies, is FLAWED. There is a generational loss and considerable overhead in duplicating cassettes: analog signal degrades with each copy. Making copies requires playing the original at normal speed. Digital music is an entirely different technology, if i have to further explain why, then YOU are acting retarded, and as a different technology that allows instant, lossless duplication of music, requires a different business model.
i call bullshit on your bullshit calling. If no DRM whatsoever was placed on music purchased online, you can bet your ass that P2P networks would have far more music to play with. And you can bet your ass the RIAA would never go for this. There's just no way. Why do you think they are suing music swapers right now? How much credibility do you think the RIAA would get in court when on one hand they sue students who swap music on campus, on the other hand, sell their music in digital format, FOR CHEAP *AND* without any DRM so digital files could instantly be swapped in P2P networks??? It would not make any business or litigation sense for the RIAA to sell commercial music in digital format without imposing DRM. At least not with the information that they currently have. If usage of the iTMS increases while fileswapping subsides, then MAYBE, they'll evolve.
in any case, the DRM scheme behind iTMS was developed to address one simple, specific problem: the RIAA does not want their music to flow around networks in digital format. One of their early initiatives was to SNEAK, without warning the user, encryption onto regular, physical CDs to PREVENT users from ripping their CDs. Now THAT is bad: aside from crashing many computers and regular audio CD players, it was preventing users from exercising their rights to fair use. Apple's DRM scheme is slowly educating RIAA labels to chill the fuck out on crippling their CDs and allowing them to migrate into the new digital millenium of the instant digital music gratification so many of their potential customers craved.
Incidently, Apple has also provided a fair online digital music marketplace business, which MANY independent record labels have come to embrace, as this business model allows their artists to gain far greater exposure while retaining much of the profits as Apple doesn't make shit on music sales.
i've said it before and i'll say it again: fight the RIAA by not purchasing RIAA-controlled music. Fighting Apple thru reverse-engineering is only hurting Apple's credibility in front of the RIAA, not the RIAA. If Apple's credibility is shot, their business model goes to shit, and indie labels and artists suddenly become deprived of the last opportunity for their music to come out of the indie darkness and onto mainstream distribution. Apple is slowly but surely building more and more "community" features into their platform, the same way Amazon has done it for years, which will be a great way for people to share great music with one-another, thereby educating them about music they may have not otherwise heard of thru mainstream media, which are in bed with RIAA labels in the first place.
People need to start thinking about consequences of their actions and stop addressing complex problems with oversimplified, unrealistic solutions: "Hey let's solve world hunger: KILL ALL THE MOFOZ WHO STARVE".
you are only locked into Apple's platform if you choose to remain locked. Apple is giving you the tools you need to pursue fair use to its full extent. You can burn your iTMS music to CDs all you want, DRM restrictions are EASY to get around and LEGAL within fair-use, they are merely there to prevent the mainstream crowd to instantly feed their iTMS music to P2P networks.
i think we're in agreement. the key here is to fight the RIAA, *not* Apple. Apple's online store ALSO supports non-RIAA labels and indie music. Money spent on such non-RIAA-owned songs gets back to the artists in far greater percentages, since Apple isn't really looking to make a profit on music sales themselves, while Apple still offers music lovers a framework for a fair online music marketplace.
well said! the hypocrisy of it all infuriates me. At least Apple has been clear about what they're about from day 1. Can't say as much of some geeks in here:\
why this clueless paranoid numbnut behind the parent post got modded-up as "insightful" is beyond me. But hey it's an opinion i guess.
You, "bogie", may not deem the Apple Music Store useful, but there are quite a few hundred thousand satisfied customers out there, including myself, who beg to differ.
Online digital music distribution does not replace CDs. It complements them. This is the one true distinction you have to make here. Sneaking DRM onto a physically-purchased CD without informating the buyer is a NO-NO. It does deny fair-use in the fact that you, as a consumer, are not warned AHEAD of time of the presence of DRM and cannot make an informed decision about buying the CD and vote with your dollars. This is way different from online music. DRM exists as a clearly-stated condition of purchase of online music. You KNOW ahead of time what to expect. You are making an informed choice. If you do not deem the service fit for your needs, you have MANY OTHER OPTIONS for purchasing music: CDs, Cassettes, DVDs, VHS, and more. This is why both online and physical music distribution coexist nicely: they fill DIFFERENT NEEDS.
DRM->CD->NON-DRM will last forever, that is, if Apple wants to retain their customers. Again, rules are always clearly stated, when they change, people will vote with their money. It's that simple. Going from 10 burns of the SAME playlist to 7 by no means restricts your fair use, you can easily clone audio CDs, or switch tracks around. These are just bones Apple throws at RIAA to keep them at bay. What is more relevant is the fact that you can NOW listen to your music on 5 computers AT THE SAME TIME, from the original digital file your purchased. And you can listen to your music on an unlimited amount of computers, even if you format your hard drive, change CPUs or whatnot, as long as 5 remains the total number of machines authorized simultaneously.
Apple is not restricting OWNERSHIP of your purchased music. In fact it is PROMOTING IT by encouraging YOU to retain sole control over who can or cannot listen to your music. Apple is merely trying to limit the post-sale, illegal distribution of online music by putting simple, easily avoidable, "ROADBLOCKS" in the straightforward digital distribution chain. There is nothing revolutionary about breaking or circumventing their DRM scheme. Those processes are in place to enable them to do business with the RIAA, hoping that the few marginal geeks that get around the DRM will stay below RIAA's radar. But noooo, not only geeks are stupid enough to pursue their cracking efforts, they're stupid enough to go out and BRAG ABOUT IT.
The end result of Apple's DRM scheme is that you can do anything you could LEGALLY, WITHIN FAIR USE ever want to do with your music, aside from turning right around and swapping it in P2P networks.
As a consumer, I want as many options to buy music as possible. The success of iTMS proves that I'm not the only one out there. I happen to still be a faithful buyer of physical Music CDs from Amazon.com because I very much relate to physical goods. I like CD cases, I like album art that is already printed for me, I like having lyrics in inserts. Once in a while I'll get a song from the iTMS. When i get batches of 10 iTMS-purchased songs, i burn them to a CD, which I bring to my car thereby making my one-hour commute to work more and more enjoyable. I can duplicate those audio CDs I've made as much as I want, and/or rip them back as MP3s.
What you advocate thru your cluelessness and paranoia will do nothing BUT remove the options I have as a consumer of Music. There is no getting around this: *COMMERCIAL* MUSIC that is distributed online, in digital format NEEDS some sort of DRM Scheme. It is the only way this form of doing business will ever survive and Apple's scheme happens to the loosest scheme on the market.. Sit down and let the reality of this last sentence hit you in the face. Now, take a deep breath. And try to prove me wrong.
i live for karma suicide and worship my foes. so here goes:
no you silly
Geeks invoke Fair-Use as a cop-out from facing the legal and moral responsibilities for their actions which are, IN FACT, all-too-often, either STEALING MUSIC, or illegally breaking a copyright-protection scheme. There is no bullshitting your way around this. There is no way you can argue a decent case in court for protecting your so-precious rights to fair-use, because this is not what this is about.
You wanna do something productive with your time? here are a few suggestions:
DON'T BUY OR LISTEN TO SONGS AND ARTISTS OWNED BY THE RIAA.
One day geeks all up in arms against Apple digital music business will have to realize the sad truth: they're not out to fight some noble battle that'll change the world for the better in a nirvana of computing where everything is free and nobody makes money. They are in fact acting like childish lifeless nerds with too much fucking time on their hands. Most DRM schemes are not hard to crack. in fact, they are easy to crack. The reason why so few people publish their work is because most people understand that online digital music sale NEEDS DRM to survive as a business model.
See it works this way: artists want money for their work, even if it means they get screwed by RIAA labels from a percentage standpoint, at least they get fame and plenty of fucking money ANYWAY. RIAA labels wants to make money off of songs. Apple wants to sell songs online. RIAA doesn't trust people to not spread around music they've purchased. Apple comes with scheme to make RIAA feel better. Agreement is reached. RIAA labels benefit, Apple benefits, and, believe it or not, WE CONSUMERS BENEFIT TOO: we consumers are no-longer stuck with buying entire albums for 2 songs we like. I don't know about you but i'm not exactly looking forward to a world where my only alternative for online music purchase is WMA-DRM'ed music, subscription services that'll render my songs useless as soon as i discontinue my service, and clumsy online stores.
Claims of "defeating" pop-up blockers are completely false allegations. It is just a fancy spin on the very simple fact that pop-up blockers, good ones at least, cannot be defeated, and advertisers have now opted for AN ALTERNATIVE form of advertisement, which is thru floating DHTML layers. The fact that they can detect the presence of some sort of pop-up blocking is irrelevant, this has always been possible in a few lines of code. Consider those floating ads as glorified, more interactive regular image or static flash banners, the key point is that they can only live within the current document, and GO AWAY as soon as either 1) the user clicks on the close button if they choose to be wise and provide one or 2) go to another site after having been annoyed by said ad.
This is nothing but a spin.
On the other hand, what was so powerful about pop-up and pop-unders is that they could spawn with or without the user's instant knowledge and keep spawning more of themselves, often defeating users' repeated attempts at closing them. Well-designed pop-up chains could keep the user clicking for minutes!
Slashdot Mirror
I've blogged a couple of entries about Michael Moore. Needless to say, I despise the guy. And I am a democrat who has financially contributed to John Kerry's campaign since day 1 and will continue to do so until I reach my $2000 limit.
My problem with Michael Moore is that he epitomizes the campaign that was being run by Howard Dean: ride the wave of American frustration and self-loathing to blame absolutely all of the world's woes on one person: George Bush. Because it is far more appealing to address complex issues with very simple rants. In my eyes, such rhetoric belongs in stand-up comedy acts, Dennis Miller Live, and Bill Maher. NOT IN A DEMOCRATIC POLITICAL PLATFORM.
Details about what I mean at my blog URL ... that is if someone actually gives a shit what i think.
I'll have to agree with you here.
See a more detailed analysis of the scope this problem in this post.
This post also confirms my suspicions
It is bad. A very bad issue. This needs fixing RIGHT NOW. Why is this thing not getting more press coverage?
to clarify and chill myself out a little bit (prozac supplies are low this month :( ), i see two issues:
Finally a co-worker (and other people in this thread I think) pointed me to this great little application: MoreInternet. I really wish the dude would put-up a PayPal link on his home page. Use this app to review which protocols are mapped to which applications. Use that to explore potentially new security holes and/or replace known vulnerable applications with some secure dummy app in a given protocol mapping.
tell me if this does anything. i'm trying to execute ls -l. It should at least launch the help viewer. It does for me and a couple of friends at work. This is bad. really really bad.
The security issue is not a browser issue, it is an operating system issue, more specifically, Mac OS X's protocol handler. Apparently, various protocols are registered to trigger various apps/functionality. Apple needs take long, hard look at each single one of them and plug potential security holes.
DAVE HYATT PLEASE HEAR ME
For one, a web browser's handling of the HTTP 302 response code should have thorough security built-in: NEVER, EVER execute a 302 response whose Location: field value is of a protocol that is different from the originating protocol, EXCEPT in a few cases: it should be ok for http to redirect to https, and vice-versa, maybe explore what should be done for http to ftp. http and https are the SAME protocol, but over a different TCP transport. This is why it still makes sense to allow redirection between the two. You should however be very very very weary of allowing any other sort of cross-protocol redirection.
Looking at the example link above, I've got a URL that belongs to the http:// protocol sending an HTTP 302 response (via tinyurl) to the web browser whose Location: header value belongs in the help:// protocol. This is bad. really really REALLY REALLY BAD. It further exasperates the importance of this security flaw.
APPLE, DAVE HYATT, I IMPLORE YOU, PLEASE FIX THIS ISSUE AT ONCE
Back in 2001, when i got a 400Mhz TiBook and some OS X 10.1 CDs, the first thing i did after wiping the drive and installing 10.1 from scratch, was to create two users: an admin user and a standard user with zero admin privileges.
I have upgraded all the way through today's system, Panther, with a hard drive transfer in the middle from my old TiBook to this new AlBook. Fast user switching and on-the-spot authentication for certain tasks make adminning a breeze while I always remain in my non-privileged user.
The fact still remains that i would get really damned pissed to lose all my shit in home directory, that's for sure. But this is where rsync, cron and anacron are my friends. At work and at home I have a remote share to which I rsync the contents of my home directory every day. But yeah, not many users do that. heh.
Apple needs to fucking plug that hole, *fast*.
OMFG. that is a *great* idea. someone PLEASE MOD PARENT UP
well the deal was very short-lived, it was like a special the reseller-dude at the mall had access to. with taxes, Catherine fees and all that stuff my bill comes right at $60. But yeah he was telling me that normally it's only 600 minutes per month. i got very lucky.
Every month i get a picture of Catherine Zeta-Jones with my mobile phone bill. As far as i'm concerned they could charge me another $20, I wouldn't peep. Rename it to Catherine fee. She's like the most beautiful woman on the planet *and* I get her in the mail every month! OMG.
Joking aside, i'm insanely happy with the t-mobile service. I've found their customer service stellar and the deal i have is pretty sweet: 1000 anytime minutes + unlimited nights and weekends: $40/month. I'm shellin' another $10/month for unlimited t-zones, which gives me unlimited texting, email sending/receiving (pictures, sounds and all), basically unlimited data transfer.
anyhoo. Go Catherine! :D
you really are talking out your rear-end ... I just wanted to make sure you were aware of this fact. go thru a few of my past posts if u disagree with me.
hey it's funny, i used to have the same sense of security you did with my debian distro, and would run apt-get update and upgrade every day also. Until somehow i found my box owned big time when i woke up for a piss at 4am and found my shell frozen. Not sure how they got in. I promptly turned it off, since i suck at forensics and i don't need it running anymore, it's been off since then. Don't get too cocky, you could very-well get bitten in the ass. If the debian maintainers fail to deliver a timely security update, it's not that they have any obligation to you. With Apple, they *try* to be extra careful since their rep' is on the line. In linux world, the only way to truly maintain your system's security is to read advisories yourself and manually apply patches. Same rule should apply to all maintainers of computer systems that actually run services, but most macs are end-user desktop platforms not running as servers since absolutely all ports are turned-off on a default installation. so it's okay for those mac users to wait for apple-pushed software updates. it's not okay for you to solely rely on apt-get because i'm betting you are at least running httpd.
hey, i'll just clarify a few things:
a fresh new installation of OS X actually has zero ports opened. Not one. It's been that way since early 10.0 betas all the way to today's Panther. Do a fresh installation of OS X, then from another box on your local network run nmap against it, you'll get ZERO hits. Not a single port is turned-on. Which is why Kieren's article was blown way out of proportion, and obviously out to seek sensationalist headlines. And this is also why the author's claims that the OS X holes make Sasser look like nothing are absolutely preposterous. But hey maybe i'm missing something so feel free to correct me. Even if a worm had been developed for OS X and OS X systems were 95% of all desktop systems in the world, there's just no way the worm could have spread because of those 95% about 95% would have ALL services disabled by default. All infections would have been rapidly contained. Regardless, Apple did promptly release patches as actual security updates. It doesn't take a Phd to understand that if your operating system wants you to install a security update you should install it. If you don't, then don't come-a-whining when you get infected.
so really, what's everyone getting their panties all in a bunch against Apple for?
Furthermore there were a few XP exploits that recently leveraged a hole in *windows* firewall software. It's asinine. Not having any port turned-on is actually MORE secure than having a firewall actively filter TCP/IP traffic. Because traffic actually still goes thru the firewall instead of being altogether ignored. Running software firewall on an end-user box and expecting this to be your primary line of defense is still an insanely retarded thing to do. You should always seek to gain access to networks that are already protected from an infrastructure standpoint, that filter traffic *for you*. As far as i'm concerned the only decent way of doing this from a regular user standpoint is to use a broadband gateway running as an actual one-way gateway, not a router. Local network translation. If you wanna run firewall software on your wintel laptop, fine, just know it's simply smarter to know what you're running and turn it off if you don't absolutely need it .
next, as far as overall security is concerned, the BSD Unix heritage of Mac OS X, the underlying Darwin layer is the only thing that truly matters in terms of the most important layers of security. Aqua is absolutely irrelevant in the whole security equation, so I'm failing to see the relevance of your rambling on the subject. You're not exactly teaching anything to anyone when reminding us that the underlying unix core is one of many components of OS X.
Finally, I don't know where you pull claims regarding not being up to date on BSD security fixes. Apple WORKS VERY CLOSELY with BSD and the overall open-source community. Security issues are publicly discussed on security-related mailing lists, which are all searchable thru google. Security issues that affect BSD affect OS X at the exact same time, both are patched and released at the same time.
i agree with you. the fact that you only stick to open-source software brings to light the simplest, yet most effective of all security measures: origin of software.
While it's silly to deride the guy because he trusted the icon and the file size looked alright, the thing he should never have done in the first place was acquire a piece of software over LimeWire. Most software updates are available thru OS X's software update mechanism, the vendor's website, and/or from the application itself. If you acquire software from such a wildly uncontrolled source as LimeWire, you're asking for trouble and you gotta be ready to pay the price.
If I was to be doing any significant amount of random software downloading from sources i know i cannot possibly trust, I would leverage Panther's nifty Fast User Switching ability after creating a brand new OS X user with ABSOLUTELY NO administrative access and as many restrictions i can enable in the preferences pane upon user creation. Once wearing this super-strong unix condom, I would then go on my slutty way downloading and trying random shit all-day long. I execute a trojan? no biggie. i ain't got shit in my home directory, since i'm running as a unix user that does not have critical access to the system, the only thing i can possibly hurt is my home directory. As i would try various pieces of software and determine a given piece of ware is "safe" i would "drag" its package to my system-wide applications folder, at which point Panther would notify me that i'm not allowed to do that, that is, unless i'd notice and choose to click on that little button that says "authenticate" (very VERY nice thing about Panther) so i can enter some admin credentials to proceed with this action.
ah ... the wonders of a modern operating system with true, strong concepts of user-level security and restrictions.
XAML is windows-only and is a lame attempt at reinventing a wheel that the Mozilla working group has so nicely invented: The Mozilla cross-platform application framework. XAML would restrict apps to windows.
furthermore, i consider XAML to be a very dangerous technology as far as security is concerned. It looks to me like it attempts to further blur the line between web "pages" and full-blown applications running on the client-side with no permissions restrictions.
lemme put it this way: it is okay for "web pages" to embrace some technologies that enable various compelling user-interface paradigms to further enrich the browsing experience: DOM/CSS/JavaScript (DHTML), Flash and whatnot. As long as they cleanly operate within the browser sandbox.
It is okay for applications and application frameworks to embrace and build-upon web-based technologies to further enrich user interfaces that should inherit from web-browsing user-interface paradigms: Mozilla Application Framework, KHTML/WebKit. Such applications are real applications which users must go thru the conscious steps of installing, with the inherent knowledge that an application could actually hurt their computer system. Any application that works within this model is standalone, and was installed within the constraints of the operating system.
What microsoft appears to be doing with XAML is to push ActiveX one step further, and instead of blurring the line between a web-based document and a full-blown computer application, simply COMPLETELY REMOVING THIS SEPARATION. You'd be looking at running applications simply by pointing your application to a web-based URL: http://widgets.com/evilApp.xaml. Security implications of this are HUGE and horrific when considering microsoft's past track record.
I believe microsoft sees Mozilla as a threat. XAML is their answer to that threat. That blog is attempting to seed brains in that direction.
consider the fact that today, to upgrade windows, you are trained to go to http://www.windowsupdate.com/ and watch your whole upgrade happen INSIDE of your web browser. Forget downloading an executable and running it or having a separate application that is dedicated to software updates. NAH. let's just teach users that running software from your browser is ... OKAY. So next time they see an ActiveX prompt about allowing some code from Gator/Claria, Inc. to run, they'll think that's OKAY too. Let's really remove all layers of security and further open ourselves to stupid worm-spawning trojans.
i'll stop here. windows appalls me. if it doesn't appall you then you've never had to support armies of newbies running windoz, starting with your own family.
How many network ports are open when you install Mac OS X? NONE. not one. buy a mac, turn it on, put it on some network, run any port-sniffing utility against it, such as nmap from another machine, guess how many hits you get back? NONE. NOT ONE.
Now. Look at windows. for years m$ has wanted to facilitate the life of LAZY corporate network administrators and enable all kinds of services out of the box upon installing their operating system. This behavior has been "inherited" even in the more "personal" versions of windows.
NO OPERATING SYSTEM IS SECURE IN ABSOLUTE TERMS. Apple never made such claims, neither are mac os x users fooled into believing so. Security vulnerabilities are a fact of computing.
The key here is that security works in LAYERS. Just like Ogres and Onions, security has layers: Network, Operating System, Applications, User Education among a few.
Various practices promote better security at various layers. Apple has consistently been better at this than Microsoft ever has. Let's look at a few random considerations:
In OS X, software updates are handled thru a dedicated software update program that functions within user-level permission constraints. On Windows, you open your fucking web browser and go to windowsupdate.com to upgrade your computer, while the software installation happens INSIDE THE FUCKING BROWSER, all this made possible thru this security-holes-ridden framework called ActiveX. Now, try to educate users to NOT click yes on ActiveX warnings when they're about to download "this really cool screen saver"?
Most windows installations have for years at least enabled file sharing by default, and various pieces of other crap running on port 139. Web sharing, IIS, web-based admin, RPC, the list goes on.
The core pieces of OS X that are affected by security considerations are open-source, part of the Darwin framework. While security holes will always be popping-up, this approach to operating system development and maintenance promotes maturity and better security.
Since Apple has fairly nicely layered its security model in its operating system, impact of security holes are typically less dramatic. Most of what this article is accusing Apple of is not publicly scream "OH MY FUCKING GOSH THERE ARE A BUNCH OF HOLES IN OUR SYSTEM". Indeed, they sometimes put a bit of a spin and don't feed rumors any further. Just because Apple doesn't return calls from sensational-headline-hungry journalists, does not mean they're not actively working with the people they should be working with: Security experts. Just look at Apple's release notes. They're doing exactly what they should be doing: citing advisories outlining the security holes for anybody to look them up, and publicly acknowledging and thanking the people who found them.
Kieren McCarthy's article is ridden with fallacies, here's one of my favorites: "In other words, it makes Microsoft's current Sasser problems look no more than a nasty nip". I rest my case.
Being a native french speaker, albeit a U.S. resident for almost a decade, I've found many of the english internet terms to stick to the french language. "Chat", is almost always used in place of "conversation electronique". I've seen "e-Mail" used more often than "courrier electronique". Believe me, the french can deal with english app names. Photoshop. Illustrator. Flash. So can germans and japanese. Y'a pas de malaise.
I'll have to second this remark. As far as i'm concerned, windows upgrades have all been SSDS (Same Shit Different Skin). I used NT4 and 2000 for quite a while, switched to Mac OS 10.1 right 'round when XP came out.
Yesterday I installed a LinkSys 802.11b/g WiFi PCCard on my GF's work laptop, and lemme tell you, there is nothing friendly about this operating system. Networking Setup in windows SIMPLY SUCKS WILD NUTS, and i find everything about the UI absolutely retarded and user-unfriendly. In contrast, I still have an installation of win2k in virtual PC and I find it more usable than XP. It's hart to explain, but XP keeps popping stupid help boxes that clutter the already-constricted UI, it's in my face, it sucks. i know my GF did not enable that shit, so it must have been in there by default. Upon installing the LinkSys wireless card thru the installer that came on the CDROM, her computer was able to communicate with the LinkSys WiFi Access Point, *BUT* was not able to get connected to the LAN upon sending out DHCP requests. The LinkSys AP admin console did show her laptop in the list of active DHCP users shortly after her laptop would boot (i kept clearing the list so i could see it show-up), but the laptop itself kept failing registering an IP address, even after successive ipconfig /renew . ipconfig kept showing a self-assigned ip address. RE-TAR-DED. After much tinkering I solved the problem by disabling all network adapters for this wireless card, except TCP/IP. I'm sure one of them was causing some conflict, I didn't care to isolate which precise one it was, I just saw the shit working, and was like "cool, i'm fucking done".
OS X, even since 10.0.x and 10.1, has always very nicely laid out the various network ports available for use and configuration. It just makes sense. Of course it helps that WiFi cards already come pre-installed on most systems. Why to PC laptops insist on not shipping with a WiFi card inside the chassis, instead of resorting to an ugly protruding PC Card? Can't we find a better use for a PC Card slot?
teehee :) +1 funny :)
now, imagine a beowulf cluster of those!
hey fair enough, but i'll tell you what: as soon as people no-longer feel they can confidently make fair-use of their online-purchased commercial music, they'll stop using those services. Apple is not sneaking anything up on anyone. Rules are clearly stated up-front. People are mixing together DRM associated with online music and DMCA laws, and bagging it all together as one big evil thing. A DRM Scheme is supposed to promote copyright protection within a framework that has properly educated the user as to what the scheme will allow them to do and not do. When properly implemented, it would make sense to invoke the DMCA to prosecute circumventions of that scheme.
I would say that the DRM scheme implemented in iTMS is one of the very few schemes that should be protected by laws under the DMCA. The problem with DMCA is that it is abused left and right by corporations and various software and hardware companies to actually limit activities that should fall under fair-use. For example the RIAA will sue your ass if you're caught trying to bypass encryption that was snuck onto an Audio CD without your prior knowledge when buying the CD. That, in my opinion is abuse of DMCA, because the consumer was not properly educated in the first place.
People tend to put all acronyms in the same "evil" bag. DRM CAN be fair. And I challenge anyone to prove me Apple's DRM scheme isn't, in fact, fair.
retarded? holy shit. read my other posts i've addressed this way too many times already. your analogy, like most analogies, is FLAWED. There is a generational loss and considerable overhead in duplicating cassettes: analog signal degrades with each copy. Making copies requires playing the original at normal speed. Digital music is an entirely different technology, if i have to further explain why, then YOU are acting retarded, and as a different technology that allows instant, lossless duplication of music, requires a different business model.
i call bullshit on your bullshit calling. If no DRM whatsoever was placed on music purchased online, you can bet your ass that P2P networks would have far more music to play with. And you can bet your ass the RIAA would never go for this. There's just no way. Why do you think they are suing music swapers right now? How much credibility do you think the RIAA would get in court when on one hand they sue students who swap music on campus, on the other hand, sell their music in digital format, FOR CHEAP *AND* without any DRM so digital files could instantly be swapped in P2P networks??? It would not make any business or litigation sense for the RIAA to sell commercial music in digital format without imposing DRM. At least not with the information that they currently have. If usage of the iTMS increases while fileswapping subsides, then MAYBE, they'll evolve.
in any case, the DRM scheme behind iTMS was developed to address one simple, specific problem: the RIAA does not want their music to flow around networks in digital format. One of their early initiatives was to SNEAK, without warning the user, encryption onto regular, physical CDs to PREVENT users from ripping their CDs. Now THAT is bad: aside from crashing many computers and regular audio CD players, it was preventing users from exercising their rights to fair use. Apple's DRM scheme is slowly educating RIAA labels to chill the fuck out on crippling their CDs and allowing them to migrate into the new digital millenium of the instant digital music gratification so many of their potential customers craved.
Incidently, Apple has also provided a fair online digital music marketplace business, which MANY independent record labels have come to embrace, as this business model allows their artists to gain far greater exposure while retaining much of the profits as Apple doesn't make shit on music sales.
i've said it before and i'll say it again: fight the RIAA by not purchasing RIAA-controlled music. Fighting Apple thru reverse-engineering is only hurting Apple's credibility in front of the RIAA, not the RIAA. If Apple's credibility is shot, their business model goes to shit, and indie labels and artists suddenly become deprived of the last opportunity for their music to come out of the indie darkness and onto mainstream distribution. Apple is slowly but surely building more and more "community" features into their platform, the same way Amazon has done it for years, which will be a great way for people to share great music with one-another, thereby educating them about music they may have not otherwise heard of thru mainstream media, which are in bed with RIAA labels in the first place.
People need to start thinking about consequences of their actions and stop addressing complex problems with oversimplified, unrealistic solutions: "Hey let's solve world hunger: KILL ALL THE MOFOZ WHO STARVE".
you are only locked into Apple's platform if you choose to remain locked. Apple is giving you the tools you need to pursue fair use to its full extent. You can burn your iTMS music to CDs all you want, DRM restrictions are EASY to get around and LEGAL within fair-use, they are merely there to prevent the mainstream crowd to instantly feed their iTMS music to P2P networks.
i think we're in agreement. the key here is to fight the RIAA, *not* Apple. Apple's online store ALSO supports non-RIAA labels and indie music. Money spent on such non-RIAA-owned songs gets back to the artists in far greater percentages, since Apple isn't really looking to make a profit on music sales themselves, while Apple still offers music lovers a framework for a fair online music marketplace.
well said! the hypocrisy of it all infuriates me. At least Apple has been clear about what they're about from day 1. Can't say as much of some geeks in here :\
why this clueless paranoid numbnut behind the parent post got modded-up as "insightful" is beyond me. But hey it's an opinion i guess.
You, "bogie", may not deem the Apple Music Store useful, but there are quite a few hundred thousand satisfied customers out there, including myself, who beg to differ.
Online digital music distribution does not replace CDs. It complements them. This is the one true distinction you have to make here. Sneaking DRM onto a physically-purchased CD without informating the buyer is a NO-NO. It does deny fair-use in the fact that you, as a consumer, are not warned AHEAD of time of the presence of DRM and cannot make an informed decision about buying the CD and vote with your dollars. This is way different from online music. DRM exists as a clearly-stated condition of purchase of online music. You KNOW ahead of time what to expect. You are making an informed choice. If you do not deem the service fit for your needs, you have MANY OTHER OPTIONS for purchasing music: CDs, Cassettes, DVDs, VHS, and more. This is why both online and physical music distribution coexist nicely: they fill DIFFERENT NEEDS.
DRM->CD->NON-DRM will last forever, that is, if Apple wants to retain their customers. Again, rules are always clearly stated, when they change, people will vote with their money. It's that simple. Going from 10 burns of the SAME playlist to 7 by no means restricts your fair use, you can easily clone audio CDs, or switch tracks around. These are just bones Apple throws at RIAA to keep them at bay. What is more relevant is the fact that you can NOW listen to your music on 5 computers AT THE SAME TIME, from the original digital file your purchased. And you can listen to your music on an unlimited amount of computers, even if you format your hard drive, change CPUs or whatnot, as long as 5 remains the total number of machines authorized simultaneously.
Apple is not restricting OWNERSHIP of your purchased music. In fact it is PROMOTING IT by encouraging YOU to retain sole control over who can or cannot listen to your music. Apple is merely trying to limit the post-sale, illegal distribution of online music by putting simple, easily avoidable, "ROADBLOCKS" in the straightforward digital distribution chain. There is nothing revolutionary about breaking or circumventing their DRM scheme. Those processes are in place to enable them to do business with the RIAA, hoping that the few marginal geeks that get around the DRM will stay below RIAA's radar. But noooo, not only geeks are stupid enough to pursue their cracking efforts, they're stupid enough to go out and BRAG ABOUT IT.
The end result of Apple's DRM scheme is that you can do anything you could LEGALLY, WITHIN FAIR USE ever want to do with your music, aside from turning right around and swapping it in P2P networks.
As a consumer, I want as many options to buy music as possible. The success of iTMS proves that I'm not the only one out there. I happen to still be a faithful buyer of physical Music CDs from Amazon.com because I very much relate to physical goods. I like CD cases, I like album art that is already printed for me, I like having lyrics in inserts. Once in a while I'll get a song from the iTMS. When i get batches of 10 iTMS-purchased songs, i burn them to a CD, which I bring to my car thereby making my one-hour commute to work more and more enjoyable. I can duplicate those audio CDs I've made as much as I want, and/or rip them back as MP3s.
What you advocate thru your cluelessness and paranoia will do nothing BUT remove the options I have as a consumer of Music. There is no getting around this: *COMMERCIAL* MUSIC that is distributed online, in digital format NEEDS some sort of DRM Scheme. It is the only way this form of doing business will ever survive and Apple's scheme happens to the loosest scheme on the market.. Sit down and let the reality of this last sentence hit you in the face. Now, take a deep breath. And try to prove me wrong.
i live for karma suicide and worship my foes. so here goes:
no you silly
Geeks invoke Fair-Use as a cop-out from facing the legal and moral responsibilities for their actions which are, IN FACT, all-too-often, either STEALING MUSIC, or illegally breaking a copyright-protection scheme. There is no bullshitting your way around this. There is no way you can argue a decent case in court for protecting your so-precious rights to fair-use, because this is not what this is about.
You wanna do something productive with your time? here are a few suggestions:
One day geeks all up in arms against Apple digital music business will have to realize the sad truth: they're not out to fight some noble battle that'll change the world for the better in a nirvana of computing where everything is free and nobody makes money. They are in fact acting like childish lifeless nerds with too much fucking time on their hands. Most DRM schemes are not hard to crack. in fact, they are easy to crack. The reason why so few people publish their work is because most people understand that online digital music sale NEEDS DRM to survive as a business model.
See it works this way: artists want money for their work, even if it means they get screwed by RIAA labels from a percentage standpoint, at least they get fame and plenty of fucking money ANYWAY. RIAA labels wants to make money off of songs. Apple wants to sell songs online. RIAA doesn't trust people to not spread around music they've purchased. Apple comes with scheme to make RIAA feel better. Agreement is reached. RIAA labels benefit, Apple benefits, and, believe it or not, WE CONSUMERS BENEFIT TOO: we consumers are no-longer stuck with buying entire albums for 2 songs we like. I don't know about you but i'm not exactly looking forward to a world where my only alternative for online music purchase is WMA-DRM'ed music, subscription services that'll render my songs useless as soon as i discontinue my service, and clumsy online stores.
Claims of "defeating" pop-up blockers are completely false allegations. It is just a fancy spin on the very simple fact that pop-up blockers, good ones at least, cannot be defeated, and advertisers have now opted for AN ALTERNATIVE form of advertisement, which is thru floating DHTML layers. The fact that they can detect the presence of some sort of pop-up blocking is irrelevant, this has always been possible in a few lines of code. Consider those floating ads as glorified, more interactive regular image or static flash banners, the key point is that they can only live within the current document, and GO AWAY as soon as either 1) the user clicks on the close button if they choose to be wise and provide one or 2) go to another site after having been annoyed by said ad.
This is nothing but a spin.
On the other hand, what was so powerful about pop-up and pop-unders is that they could spawn with or without the user's instant knowledge and keep spawning more of themselves, often defeating users' repeated attempts at closing them. Well-designed pop-up chains could keep the user clicking for minutes!