Saying women are "objects" in Ballers is an understatement. They are actually purchased in the game, just like a house or car. And the NBA endorses this. Lakers legend Jerry West was slated to have his likeness in the game, and he backed out once he saw the content.
iTunes is a bad example. Apple used to purchase quite a few smaller products from other developers and put them in the OS. Windowshade was one, and the menu bar clock was another (I forget the orignal name!). iTunes was SoundJam MP. It's an example of Apple paying another company for its work.
OTOH, Sherlock 3 and Dashboard are examples of taking someone else's ideas without paying for them.
As to NetNewsWire, that's just silly. NNW was hardly the first RSS reader, and Safari's is almost nothing like NNW's. And from what I have seen, NNW is significantly superior, except in searching. Hell, I wrote an RSS reader in perl that looked more like Safari's RSS than NNW does, five years ago.
LaunchBar too, that's silly. Spotlight is similar to LaunchBar in that they both do searching, but it's something that has existed in various forms in the OS for years, and works very differently from how LaunchBar works. It's more like stealing from Longhorn than it is stealing from LaunchBar.
VPN and Firewall setup are both included in the single-click configuration.
A robust backup solution would be a great addition. Backup.app is a nice start, but needs a ton of work (it's very slow, not robust, needs more selection options and filters), and Server could make it much simpler for Backup.app to work with.
I wish I knew enough about Windows to really answer your question well, but the Apple rep I talked to was talking about non-Active Directory stuff, primarily, saying that lots of companies have legacy networking and will need to upgrade to something -- Active Directory or otherwise -- and that Tiger Server will offer another choice.
Should we jail murderers, since it doesn't seem to prevent murders, or curb the murder rate? Whatever.
Anyway, he is looking at the problem on too wide a scale. Slash (the code running this site) is much less vulnerable to various exploits than many of the alternatives that have cropped up, and yes, it has been a huge benefit to the people who run and use this site, undoubtedly.
Personally, though, I think it would be crazy to push Dave out of RSS.
Make your choice: it's either Dave, or the people who are eschewing RSS because of Dave. I won't try to make the argument that you should choose us (I am NOT affiliated with Atom, I just support their efforts, BTW; I am just one of a relatively large group of people who can't stand him) over him; it's not like most people in the world care. But you can't have both, it really is him or us.
One of the biggest reasons it has succeeded is because there was an outspoken software developer championing the protocol and promoting it tirelessly in code and on his weblog.
I don't buy this at all. RSS 0.9 was the most common RSS in use for a long time, even after RSS 0.91 had been out for awhile, and Dave had nothing to do with it. By the time RSS 0.91 came out, people were already using RSS 0.9 a lot, as well as other formats (like Slashdot's own custom XML feed). People started to realize Netscape had this standard, so they switched to it, and it grew.
Did Dave contribute to its growth? Sure, but so did everyone who used it and promoted it. It would have grown anyway, probably just as much, or close to it, and it would have been far better, if not for Dave.
The one thing I will give Dave in all this is that he was the primary champion for simplicity, which remains a very important issue. However, he was also the primary champion for disorder (e.g., adding arbitrary names to the spec) and lack of extensibility, which is what necessitated RSS 1.0 (and, subsequently, Atom) in the first place. And he was also, as is well-established, the primary cause of the split in the RSS developer community. So while his contribution in emphasis on simplicity was important, he contributed a net loss to the users. Sorry.
There's no ownership at all. Dave doesn't own the format, the specification, or the name.
You misunderstand the intent of the words I used: I am saying this difference you refer to is only slight, in practical terms. I meant that the real issue is not ownership.
I wasn't saying Dave actually owns it. I have always maintained the fact that Dave *never* owned RSS, he just conned people into thinking he did. He owned certain specifications of it, yes; and now, he merely exercises de facto control over them.
He ceded control of the spec to Harvard's Berkman Center and an advisory board and released it under an open license. He's one member of five on the board.
Just one post ago, you said RSS is not controlled by Dave or anyone else. Now, you say the RSS spec is controlled by an advistory board, of which Dave is a member; so you were wrong on both counts, as I said.
Do people listen to Dave when it comes to RSS 2.0? Yes. Do we have to? No.... which is what I said, which is why Atom exists.
Not only does Dave have a long history of abusing people who try to do anything with RSS that he doesn't like, he remains in de facto control today.
I am not making the argument that RSS is a problem because "someone" is in "control" of it. I am saying RSS is a problem because "Dave Winer" is "intimately involved" with it. Define it as "control" or not, it's really beside the point. Dave has a lot of influence, so therefore many people will not be involved with it.
Perhaps I was wrong to even bother with trying to make the point that Dave is in de facto control, even though he is, because it overemphasizes issues that lack importance, instead of focusing on the core fact that Dave is influential/intimately involved at all.
Did you know that a year before RSS 2.0 was released, Dave said he was leaving RSS development, and while expressing his distaste for the fact that rss-dev released RSS 1.0, jokingly said he should leapfrog them and release his next version as 2.0, to take back the mindshare? He lied about leaving RSS development, and then put his joke about manipulating the version numbers into actual practice. This is one of the many examples of the bullshit that people won't put up with by dealing with RSS development as long as Dave is involved.
Nothing you can say about Dave will ever change people's minds about this. And nothing you can say about how people should come together means a damned thing, because that's the same sort of thing Dave says, right before he stabs them in the back, and everyone knows it.
That's what RSS 1.0 was -- and Dave lost no opportunity to slame its developers every chance he got (except when he thought it would make him look good to pretend to be nice to them). Been there, done that.
What do we have to do to convince people that it isn't controlled by Dave Winer or anyone else?
Stop lying by saying it is not?
The specification is released under a Creative Commons license and no ownership is claimed of the format embodied by the specification.
Yes, it is under a Creative Commons license. So what? perl is GPL'd, but no one would say p5p doesn't control it. Sure, there's some slight difference in the case of true ownership, but the real difference is that there is a recognized body that everyone looks to, and that body was created by Dave, and is controlled in no small measure by Dave.
The fact is that anyone who tries to improve upon or modify RSS is met with Dave's wrath. And this is precisely why Atom exists. There can never be convergence because Dave is still involved, and -- as evidence by the fact that he has several times over several years said he would no longer be invovled, but still is -- he likely forever will be.
You can argue till the end of the year whether the wording is appropriate, or how many nimrods will get 0wned anyway, but the technical side of it is very well I think: the essence of the 'hole' was that any protocol could be made up. This does a good job of watching out.
Only if you understand the warning message (or have access to someone who does, who can tell you what to do). If you don't, then all it's done is reduce your chances of being exploited by 50%.
So the first time I try to run any app you're going to disallow it?
No. This is all over your head, isn't it? The problem is that apps are automatically registered, and can be run *for the very first time* without *explicitly* running the application (such as, by opening a file of a certain type, or using a URI handler). "For the first time" is the key here: no app should be automatically registered, and should require explicit execution before it is registered. After this initial execution, everything else would be normal.
Requiring that a user manually run an application for the very first time is not a significant burden for the overwhelming majority of users.
"In realtime"? I am talking about developers fixing applications. For example, Apple developers looking at Help Viewer.app and saying, "OK, we accept all this data from URI handlers, and we do this with that data. Is anything here potentially dangerous?" And then they either remove runscript, or they restrict its use internally (which is what Apple chose), or they take some other measure to prevent the unsafe operation. This work is *necessary*, not optional, no matter what else Apple does to attempt to prevent abuse.
You know, you keep saying that, but it sounds like you are doing the same thing.
But I am not.
You seem to be claiming that no "typical" users are smart enough to figure out what's going on.
I claimed no such thing, sorry. I never said or implied anything similar to that. What I said is not that NO typical users will, but that SOME will not.
The main reason I responded though was just to complain about your analogy. It doesn't fit. The remote exploit that this is all about is not completely automatic. It requires the user to browse the internet to a malicious site.
Only if you define "malicious" loosely. Due to the great many sites that allow comments to be posted on them, many of which have XSS vulnerabilities, this simply isn't the case with most definitions of "malicious." If someone found a way to exploit Slashdot so you could redirect a user, then boom!
[Now, of course, right now, there is no known way to automatically get an app registered in the first place, because the various disk/afp/etc. handlers were apparently closed. But that doesn't mean a new way won't be found, so it's beside the point.]
This sounds good on the surface, but think about it - do you want to have to explicity lauch every helper app before it gets used automatically?
For the first time? Yes, absolutely. No question about it. This is precisely what I want. No app gets launched until I do the launchin'.
Want to unstuff and app? Sorry, you need to hand launch Stuffit Expander once first.
Since Expander comes preinstalled, Apple can grandfather it in, like all other preinstalled apps.
Want to use the Citrix client to connect to a remote server? Sorry, gotta launch the client once
Good! How is this a problem? You install a new app, so you run it once. This is not hard, difficult, or burdensome in any reasonable way. I agree that there is a SLIGHT burden that WOULD be useless if there was no reason for it, but clearly, here, there is a security problem, that entirely mitigates this slight burden.
I never implied any such thing, sorry. This is only one piece to the puzzle. Every app the Apple has that accepts data from URI handlers must be audited to make sure it does nothing potentially unsafe with that data. They are two separate, but related, issues.
As noted previously in the thread, VNC is just a bad option. I am not sure if I empahsized this, but this needs to be usable by other people, which means 1. it can't be complicated 2. it can't be insecure (giving people easy remote access to my server!).
However, netTunes is the best option I've seen so far, and it basically does a VNC just for iTunes. So it is what I am working with now. The one problem is that this won't make it any "nicer" to get AirPort Express, because I can use netTunes with my existing laptop in the closet. However, this will allow me to sell my second AirPort Extreme Base Station (probably for enough to cover the cost of the Express), and save power by leaving the MP3 player laptop off, and allow me to use that laptop for testing (like, I would like to have a Jaguar machine around...).
So, I may go ahead and do it.
**** ANOTHER UPDATE ****
I was just informed by a knowledgable source that you can stream DTS 5.1 audio CDs from iTunes to AirPort Express, if using the digital out of AirPort Express. I only have like four of them, but I like to listen to them, and it's a pain to pop them into the DVD player sometimes...
How is click cancel when you see this dialog any more complicated then "don't open unknown email attachments"?
You were talking about how the user would then go and find the application to open manually. Even if you had left it at only this point, it is more complicated because you are forced to make a choice, one you don't understand the meaning or ramifications of. With email attachments, you merely don't have to take a particular action.
But I'm at a loss to what you can do to prevent it?
As I've said many times: DO NOT register apps until they are first explicitly launched. This dialog would not come up because the action would not be possible.
There are untold numbers of things you can do to people who don't learn to distrust software delivered to them without their express cooperation.
Yet another Excluded Middle fallacy. There are levels, and I am simply saying you should not rely on an on-the-spot user choice when it comes to a potential remote attack. This should be a bottom-line rule. What if Mac OS X were to pop up a dialog, saying, "An incoming packet on port 23 is detected, but telnetd is not currently running. Shall I start telnetd to allow the connection to go through?" That's what this is basically doing.
Slashdot Mirror
Saying women are "objects" in Ballers is an understatement. They are actually purchased in the game, just like a house or car. And the NBA endorses this. Lakers legend Jerry West was slated to have his likeness in the game, and he backed out once he saw the content.
iTunes is a bad example. Apple used to purchase quite a few smaller products from other developers and put them in the OS. Windowshade was one, and the menu bar clock was another (I forget the orignal name!). iTunes was SoundJam MP. It's an example of Apple paying another company for its work.
OTOH, Sherlock 3 and Dashboard are examples of taking someone else's ideas without paying for them.
As to NetNewsWire, that's just silly. NNW was hardly the first RSS reader, and Safari's is almost nothing like NNW's. And from what I have seen, NNW is significantly superior, except in searching. Hell, I wrote an RSS reader in perl that looked more like Safari's RSS than NNW does, five years ago.
LaunchBar too, that's silly. Spotlight is similar to LaunchBar in that they both do searching, but it's something that has existed in various forms in the OS for years, and works very differently from how LaunchBar works. It's more like stealing from Longhorn than it is stealing from LaunchBar.
Yes, it can ACT as a an AD PDC, but the new Tiger migration tool migrates from older PDCs. Not sure if it also migrates from AD PDCs.
VPN and Firewall setup are both included in the single-click configuration.
A robust backup solution would be a great addition. Backup.app is a nice start, but needs a ton of work (it's very slow, not robust, needs more selection options and filters), and Server could make it much simpler for Backup.app to work with.
I wish I knew enough about Windows to really answer your question well, but the Apple rep I talked to was talking about non-Active Directory stuff, primarily, saying that lots of companies have legacy networking and will need to upgrade to something -- Active Directory or otherwise -- and that Tiger Server will offer another choice.
I am waiting for Jesux: The Game!
I am really at loss as to why /. readers who are not directly affected have to flame this guy.
It's called "karma."
Who cares? Run it once, it won't hurt you.
Should we jail murderers, since it doesn't seem to prevent murders, or curb the murder rate? Whatever.
Anyway, he is looking at the problem on too wide a scale. Slash (the code running this site) is much less vulnerable to various exploits than many of the alternatives that have cropped up, and yes, it has been a huge benefit to the people who run and use this site, undoubtedly.
Personally, though, I think it would be crazy to push Dave out of RSS.
Make your choice: it's either Dave, or the people who are eschewing RSS because of Dave. I won't try to make the argument that you should choose us (I am NOT affiliated with Atom, I just support their efforts, BTW; I am just one of a relatively large group of people who can't stand him) over him; it's not like most people in the world care. But you can't have both, it really is him or us.
One of the biggest reasons it has succeeded is because there was an outspoken software developer championing the protocol and promoting it tirelessly in code and on his weblog.
I don't buy this at all. RSS 0.9 was the most common RSS in use for a long time, even after RSS 0.91 had been out for awhile, and Dave had nothing to do with it. By the time RSS 0.91 came out, people were already using RSS 0.9 a lot, as well as other formats (like Slashdot's own custom XML feed). People started to realize Netscape had this standard, so they switched to it, and it grew.
Did Dave contribute to its growth? Sure, but so did everyone who used it and promoted it. It would have grown anyway, probably just as much, or close to it, and it would have been far better, if not for Dave.
The one thing I will give Dave in all this is that he was the primary champion for simplicity, which remains a very important issue. However, he was also the primary champion for disorder (e.g., adding arbitrary names to the spec) and lack of extensibility, which is what necessitated RSS 1.0 (and, subsequently, Atom) in the first place. And he was also, as is well-established, the primary cause of the split in the RSS developer community. So while his contribution in emphasis on simplicity was important, he contributed a net loss to the users. Sorry.
There's no ownership at all. Dave doesn't own the format, the specification, or the name.
... which is what I said, which is why Atom exists.
You misunderstand the intent of the words I used: I am saying this difference you refer to is only slight, in practical terms. I meant that the real issue is not ownership.
I wasn't saying Dave actually owns it. I have always maintained the fact that Dave *never* owned RSS, he just conned people into thinking he did. He owned certain specifications of it, yes; and now, he merely exercises de facto control over them.
He ceded control of the spec to Harvard's Berkman Center and an advisory board and released it under an open license. He's one member of five on the board.
Just one post ago, you said RSS is not controlled by Dave or anyone else. Now, you say the RSS spec is controlled by an advistory board, of which Dave is a member; so you were wrong on both counts, as I said.
Do people listen to Dave when it comes to RSS 2.0? Yes. Do we have to? No.
Not only does Dave have a long history of abusing people who try to do anything with RSS that he doesn't like, he remains in de facto control today.
I am not making the argument that RSS is a problem because "someone" is in "control" of it. I am saying RSS is a problem because "Dave Winer" is "intimately involved" with it. Define it as "control" or not, it's really beside the point. Dave has a lot of influence, so therefore many people will not be involved with it.
Perhaps I was wrong to even bother with trying to make the point that Dave is in de facto control, even though he is, because it overemphasizes issues that lack importance, instead of focusing on the core fact that Dave is influential/intimately involved at all.
Did you know that a year before RSS 2.0 was released, Dave said he was leaving RSS development, and while expressing his distaste for the fact that rss-dev released RSS 1.0, jokingly said he should leapfrog them and release his next version as 2.0, to take back the mindshare? He lied about leaving RSS development, and then put his joke about manipulating the version numbers into actual practice. This is one of the many examples of the bullshit that people won't put up with by dealing with RSS development as long as Dave is involved.
Nothing you can say about Dave will ever change people's minds about this. And nothing you can say about how people should come together means a damned thing, because that's the same sort of thing Dave says, right before he stabs them in the back, and everyone knows it.
That's what RSS 1.0 was -- and Dave lost no opportunity to slame its developers every chance he got (except when he thought it would make him look good to pretend to be nice to them). Been there, done that.
does anyone think the Atom people would turn down the olive branch?
Mr. Winer, tear down this wall!
Yes, because no one trusts Dave.
he's even updated them to work on Mac OS X
They were not updated to work on Mac OS X, they just do (with the Classic environment).
What do we have to do to convince people that it isn't controlled by Dave Winer or anyone else?
Stop lying by saying it is not?
The specification is released under a Creative Commons license and no ownership is claimed of the format embodied by the specification.
Yes, it is under a Creative Commons license. So what? perl is GPL'd, but no one would say p5p doesn't control it. Sure, there's some slight difference in the case of true ownership, but the real difference is that there is a recognized body that everyone looks to, and that body was created by Dave, and is controlled in no small measure by Dave.
The fact is that anyone who tries to improve upon or modify RSS is met with Dave's wrath. And this is precisely why Atom exists. There can never be convergence because Dave is still involved, and -- as evidence by the fact that he has several times over several years said he would no longer be invovled, but still is -- he likely forever will be.
Huh? I've been doing this since iTunes came out.
What you described is not having multiple libraries, it is using one library.
You can argue till the end of the year whether the wording is appropriate, or how many nimrods will get 0wned anyway, but the technical side of it is very well I think: the essence of the 'hole' was that any protocol could be made up. This does a good job of watching out.
Only if you understand the warning message (or have access to someone who does, who can tell you what to do). If you don't, then all it's done is reduce your chances of being exploited by 50%.
So the first time I try to run any app you're going to disallow it?
No. This is all over your head, isn't it? The problem is that apps are automatically registered, and can be run *for the very first time* without *explicitly* running the application (such as, by opening a file of a certain type, or using a URI handler). "For the first time" is the key here: no app should be automatically registered, and should require explicit execution before it is registered. After this initial execution, everything else would be normal.
Requiring that a user manually run an application for the very first time is not a significant burden for the overwhelming majority of users.
"In realtime"? I am talking about developers fixing applications. For example, Apple developers looking at Help Viewer.app and saying, "OK, we accept all this data from URI handlers, and we do this with that data. Is anything here potentially dangerous?" And then they either remove runscript, or they restrict its use internally (which is what Apple chose), or they take some other measure to prevent the unsafe operation. This work is *necessary*, not optional, no matter what else Apple does to attempt to prevent abuse.
You know, you keep saying that, but it sounds like you are doing the same thing.
But I am not.
You seem to be claiming that no "typical" users are smart enough to figure out what's going on.
I claimed no such thing, sorry. I never said or implied anything similar to that. What I said is not that NO typical users will, but that SOME will not.
The main reason I responded though was just to complain about your analogy. It doesn't fit. The remote exploit that this is all about is not completely automatic. It requires the user to browse the internet to a malicious site.
Only if you define "malicious" loosely. Due to the great many sites that allow comments to be posted on them, many of which have XSS vulnerabilities, this simply isn't the case with most definitions of "malicious." If someone found a way to exploit Slashdot so you could redirect a user, then boom!
[Now, of course, right now, there is no known way to automatically get an app registered in the first place, because the various disk/afp/etc. handlers were apparently closed. But that doesn't mean a new way won't be found, so it's beside the point.]
This sounds good on the surface, but think about it - do you want to have to explicity lauch every helper app before it gets used automatically?
For the first time? Yes, absolutely. No question about it. This is precisely what I want. No app gets launched until I do the launchin'.
Want to unstuff and app? Sorry, you need to hand launch Stuffit Expander once first.
Since Expander comes preinstalled, Apple can grandfather it in, like all other preinstalled apps.
Want to use the Citrix client to connect to a remote server? Sorry, gotta launch the client once
Good! How is this a problem? You install a new app, so you run it once. This is not hard, difficult, or burdensome in any reasonable way. I agree that there is a SLIGHT burden that WOULD be useless if there was no reason for it, but clearly, here, there is a security problem, that entirely mitigates this slight burden.
I never implied any such thing, sorry. This is only one piece to the puzzle. Every app the Apple has that accepts data from URI handlers must be audited to make sure it does nothing potentially unsafe with that data. They are two separate, but related, issues.
If you mean you want to link two wired networks together, yes, with two AirPort Extreme/Express base stations, you can do that.
Interesting thought, I dunno. I wouldn't be at all surprised if Apple made its own all-in-one remote control, but I love my Harmony Remote. :-)
As noted previously in the thread, VNC is just a bad option. I am not sure if I empahsized this, but this needs to be usable by other people, which means 1. it can't be complicated 2. it can't be insecure (giving people easy remote access to my server!).
...).
...
However, netTunes is the best option I've seen so far, and it basically does a VNC just for iTunes. So it is what I am working with now. The one problem is that this won't make it any "nicer" to get AirPort Express, because I can use netTunes with my existing laptop in the closet. However, this will allow me to sell my second AirPort Extreme Base Station (probably for enough to cover the cost of the Express), and save power by leaving the MP3 player laptop off, and allow me to use that laptop for testing (like, I would like to have a Jaguar machine around
So, I may go ahead and do it.
**** ANOTHER UPDATE ****
I was just informed by a knowledgable source that you can stream DTS 5.1 audio CDs from iTunes to AirPort Express, if using the digital out of AirPort Express. I only have like four of them, but I like to listen to them, and it's a pain to pop them into the DVD player sometimes
How is click cancel when you see this dialog any more complicated then "don't open unknown email attachments"?
You were talking about how the user would then go and find the application to open manually. Even if you had left it at only this point, it is more complicated because you are forced to make a choice, one you don't understand the meaning or ramifications of. With email attachments, you merely don't have to take a particular action.
But I'm at a loss to what you can do to prevent it?
As I've said many times: DO NOT register apps until they are first explicitly launched. This dialog would not come up because the action would not be possible.
There are untold numbers of things you can do to people who don't learn to distrust software delivered to them without their express cooperation.
Yet another Excluded Middle fallacy. There are levels, and I am simply saying you should not rely on an on-the-spot user choice when it comes to a potential remote attack. This should be a bottom-line rule. What if Mac OS X were to pop up a dialog, saying, "An incoming packet on port 23 is detected, but telnetd is not currently running. Shall I start telnetd to allow the connection to go through?" That's what this is basically doing.