I think what he was referring to was dialogs that don't have buttons or dialogs where the button is not necessary.
A couple of examples: Safari, Address Book the Accounts pane of System Preferences and the Network pane of System Preferences.
In Safari's preferences, when you are typing in your home page, there is a button immediately below the text field labelled "Set to current page" and I have found that most users will push that button after typing in a new home page without reading the button or by misinterpreting the button. They will also react with suspicion when I tell them to simply close the window.
When adding an LDAP server in Address Book, there is a "Save" button at the bottom right and it isn't possible to close the window without either hitting "Save" or "Cancel". Why is this ? The information is essentially of the same importance and function as the homepage in Safari but it has Save and Cancel buttons instead of being applied immediately. (Safari's homepage is applied immediately without the window needing to be closed.)
When you are creating a new account in the Accounts pane of System Preferences nothing is checked (and therefore, active) until you leaving the window by closing it or by clicking another tab or toolbar icon. When you do click one of these other widgets, the account is created, the short name is set in stone and the passwords are compared to each other for equality. (This has been changed in Tiger so there now is a "Save" button but the Accounts pane changes so drastically at every major release that it's nearly impossible to talk people through this over the phone.)
In Network Preferences there is a button at the bottom right labelled "Apply now" which will apply any changes that you have made. These changes could be as little as choosing a different location or they could include creating a new location, modifying an existing location or deleting a location or any combination of these. The "Apply now" button will apply all of these changes which means that the location you are looking at in Network preferences will become the current location and all of the other changes will be saved. How do you save all of the changes to other locations without changing which location is your current location ? You select the location that is currently active and then hit "Apply now". So what happens if you just close the window ? Does that save or discard the changes ? Does it save changes to other locations but not change which one is current ?
These four are clearly inconsistent and all made by Apple. I have no problems with remembering these but on the other hand I have no problems remembering hundreds of different command-key shortcuts over several different versions of three different operating systems. Average users, in my experience, have some troubles.
Apple do some things very well (which is why I use Apple almost exclusively and work in tech support for an Apple-based company) but some things are close but still not quite right. UI consistency is one of those things.
It seems that the most highly moderated pots in this thread are those in support of good grammar and spelling and (mostly) those that contain good grammar and spelling. One conclusion that I can draw from this is that moderators like good grammar and spelling.
Further on from this, I would conclude that moderators generally have to have good grammar and spelling in order to be able to recognise it and appreciate it.
Moderators get to be moderators by having their posts moderated up (having positive karma) and by meta moderating. Posts are moderated up by other moderators who like good spelling and grammar. Therefore the moderation system is a vicious cycle where those in power tend to promote people like themselves to positions of power.
Not that I mind however. I have done my share of moderating and I much prefer posts that are easy to read because I don't have to make sense of a garbled message.
Was there ever a Mac version of Castle Infinity made ? Macs weren't nearly so popular back then and even if there had been one made it would only run in Classic mode.
What are the chances of a version being ported to Mac OS X ?
The trouble with cutting off the head is that you end up with a perfectly good army just waiting for a suitable leader to come along... and we all saw how well that worked for Yoda.
The computers that form the botnet are still compromised and are still just as dangerous. If they have a hard-coded IP address to receive instructions from the vigilantes can make sure that IP address doesn't issue instructions but if the instructions are received in a less centralised way then I can't see how they could stop the instructions being sent.
Maybe what we need is a follow up deconstruction of the command protocol to allow an effective "self destruct" command to be sent. (Obviously there won't be a self destruct command but there is often the ability to download a new binary file and execute it.)
Own a car, get owned by your computer
on
Security Alert
·
· Score: 1
When cars were still a new thing, everybody that owned a car needed to know how they worked or they ran the risk of not getting where they were going. Cars are reliable enough now that you only need to take them in for a check up every 10,000Km or so now and when you do, the mechanic inevitably says "It's gonna take a week for parts and it could cost a bit."
That's where computer security is heading. People will take their computers in (or just ask a technician to check it online) every month or two months and for a nominal fee the technician will update the virus definitions (coolant top up), check for ad/spy-ware and clean the gunk out (oil change) and update any programs that can be updated for free (general tune up). If someone wants extra software or hardware installed, they go to the same technicians and have it done there (having fancy extractors/blowers or whatever installed. Kinda funny that those items are installed in computers these days too, not just cars:-P)
Some people will know how to fix their own computers, just as some people these days know how to fix their own cars. Some people will not have their computers serviced as often as they should, just as some people do with cars. Some people will know just the basics, like upgrading programs and virus definitions (hell, it's one button and it automatically reminds you when it's due. It's not that hard people !) just like they can top up oil and change their own tyres now.
There's no doubt in my mind. That's where computer security is heading.
It is true that that script wouldn't do much without root privileges... but a slight change and it could be quite devestating.
Simply rm -rf ~ instead of rm -rf/
Sure, it doesn't wipe the whole computer. It will still boot up, you can still even log in. But everything will be gone. Documents, songs, even your Dock will be reset back to the default.
Also, if the user was an Admin user (The default account is an Admin), you could change it to sudo rm -rf / and it would prompt them for their password. Not the root password but THEIR password... and then happpily delete the entire hard drive.
It wouldn't be hard to include instructions on how to run this... in fact you could even get them to type the entire script in using pico (most people would get too confused using vi from instructions in an email) themselves and then run it thus avoiding the need to have an attachment. (How many users have you told never to open attachments because they could be viruses ? None ? Well why do they all think that ?)
Social engineering is not hard when the victim is not a power user.
Mac OS X is more secure in general, but a more powerful system has more things you can do with it and therefore more ways you can screw it up.
For some users, education is the answer. For others, restricted privileges and a competent Sys admin is the answer.
No... you have to read ALL of the article, and even in that case, (cheating in online games) it's not so much about trusting you but trusting all the other guys out there who do cheat. I have no problems with complying with things that prevent cheating in online games.
Similarly, online banking requires the trusted computer be mine, but in the end I'm a lot happier about it because I know that no one else can access my bank account.
Many of the other example actually don't require you to have a trusted computer at all, but simply to check that some server's computer is trusted. eg. Online gambling.
The most important thing to remember here is that it's not just Microsoft that is trusting you. The game server admins need to be able to trust you, the bank needs to be able to trust you, your boss wants to send out a confidential email with the confidence that it can't go beyond his ability to retract needs to trust you. None of these people can trust you (this isn't an attack on YOU but rather a generic "you" that is Joe average out there.) so they need to enforce this protection.
For that purpose, TC seems like a good idea and, in a perfect world where software was written without bugs and was available to everyone no matter of their location, language or preference for OS, it would mostly be a great thing.
No one can stop you using your computer, even with TC. They CAN stop you accessing certain content at all and they can stop you accessing certain content with anything other than certain programs. They can even stop you using certain programs without paying for them. This may be seen as bad, but it makes me wonder if I want to see that content or use those programs at all.
I'm quite happy with my combination of Mac OS and Linux and I suspect that most of the things I want to do with computers in the future will be mostly free from TC restrictions.
All up, I like some of the aspects of TC (secure banking, gambling, gaming, document control), but it is important that the choice always exist. If the only way to use your computer to view content in the future involves TC then there will be a very large effort put into breaking it and proving it worthless. What this will probably do is to make the petty crimes like making a mixed CD to play in your car CD player and then making a copy for a friend or pirating a five year old app to run on a similarly aged computer (today's computers in five year's time) into larger crimes that will involve more effort (hardware and software hacking).
One last thing... what is to stop a person with a trusted computer copying a confidential email into another email app and passing it on unprotected ? Or passing it on by word of moutth ?
So you're limiting exploits to script kiddies who need to recruit hundreds of machines to do their ddos attacks on their favourite target for the week ?
The single professional hacker who exploits MY work server and modifies/steals the data contained is far more devestating than even a ddos directed at me by a script kiddy, but because professional hackers don't brag about their exploits in irc, these vulnerabilities will go largely unnoticed by MS until someone else discovers it and exploits it large scale or posts it to a discussion on security so that MS can fix it.
Large scale exploits are not the only concern here.
On another note, if you discover that you have been hacked, you would try to remove any backdoors that may have been installed and upgrade/re-install all your software but how do you figure out which exploit was used ? Is it a known exploit or is it a new one ? I visit a website that has been hacked and taken down twice in the last two months. It seems that the maintainer simply didn't know how they got in, so put the box back up with basically the same configuration, plus some security patches from the distro website but it obviously didn't include the right patch, or possibly it was a configuration thing and not buggy software at fault so they got in again and hosed his server again. So, how do you determine how they got in apart from scanning your own box for vulnerabilities and assuming it was one of those ?
This disturbs me. I have completed two years of a Comp Sci degree and I have been taught Java and a little html. I hear that a new teacher has taken over that subject and the now learn css as well.
Whoopee.
We were taught jsp, and given the option to do our major assignment in php instead if we liked. They didn't teach us any php, nor supply a computer to host it on, but after some research on the market share that php had and the way it was growing, I decided to take the road less travelled. I was the only one. I taught myself php and figured out installing it, creating a dynamic dns so I could host it on my dialup account, installing mysql and getting the whole lot to work together. It may not sound like much, (it doesn't to me now) but I had no help, and this was a group assignment I was doing on my own. Now I'm employed as a web devloper creating web-based systems using php and mysql.
We have not been taught C or C++, no assembly, no php, no xhtml, no css, no bash. Yes, the taught us enough of how to manage our files (cd, ls, rm, and a supplied script for mounting floppies), but nothing serious like scripting or evening piping one command to another. I have very little idea about memory management, and yet the university claims that they are teaching me "programming concepts" that will enable me to learn another language very quickly. I should be able to just pick up C and start. I was stuck with my first C++ program for days before someone told me that I should be using g++ to compile it instead of gcc.
All this makes me wonder. What have I learned at Uni ? What jobs can I apply for NOW ? I can apply for a job programming in C++, but who would hire me if I told them I had a degree in Comp Sci and I'd never used C or C++ ? Sure, I can probably learn it quickly given a decent programming guide and a reference guide but it makes me ask again... why did I go to Uni ? I taught myself Apple Basic at the age of eight by looking at the code of the games that came with our Apple ][e. OK, I had some help from a couple of books from the library that had some simple 50 line games listed in them but the point is that I learned it with no help other than that. If a University has charged me $600 per semester per subject to teach me one language and the ability to learn more, and I already had that... I wonder what point there is.
Up until now, I thought this is what Uni Comp Sci was all about. This is what they teach everywhere. How wrong was I ?
The three most useful subjects I did were Theory of Computation, Algorithmics and Advanced Algorithmics. No programming was taught, when you were expected to write code it could be in C, C++ or Java but nearly everyone chose Java because that's all they knew. What we learned was that the difference between N^2 and N(Log(N)) was far more important that any optimisations you could tweak in assembly language.
So, the final question remains; am I better off with a degree in Comp Sci and only one language under my belt (I don't count Apple Basic anymore) or am I better off teaching myself C and trying to get a job and some experience.
I suppose there should be a third option there: should I simply find myself a better University that actually has a serious Comp Sci course ?
Wouldn't it be nice if there was an equivelant now ?
My whole interest in programming came from reading source listings like in the Beagle Bros. ads and from looking at others programs.
BASIC was open-source because it was compiled at run-time.
Bring on open source ! (how else are we going to learn ?)
Slashdot Mirror
I think what he was referring to was dialogs that don't have buttons or dialogs where the button is not necessary.
A couple of examples: Safari, Address Book the Accounts pane of System Preferences and the Network pane of System Preferences.
In Safari's preferences, when you are typing in your home page, there is a button immediately below the text field labelled "Set to current page" and I have found that most users will push that button after typing in a new home page without reading the button or by misinterpreting the button. They will also react with suspicion when I tell them to simply close the window.
When adding an LDAP server in Address Book, there is a "Save" button at the bottom right and it isn't possible to close the window without either hitting "Save" or "Cancel". Why is this ? The information is essentially of the same importance and function as the homepage in Safari but it has Save and Cancel buttons instead of being applied immediately. (Safari's homepage is applied immediately without the window needing to be closed.)
When you are creating a new account in the Accounts pane of System Preferences nothing is checked (and therefore, active) until you leaving the window by closing it or by clicking another tab or toolbar icon. When you do click one of these other widgets, the account is created, the short name is set in stone and the passwords are compared to each other for equality. (This has been changed in Tiger so there now is a "Save" button but the Accounts pane changes so drastically at every major release that it's nearly impossible to talk people through this over the phone.)
In Network Preferences there is a button at the bottom right labelled "Apply now" which will apply any changes that you have made. These changes could be as little as choosing a different location or they could include creating a new location, modifying an existing location or deleting a location or any combination of these. The "Apply now" button will apply all of these changes which means that the location you are looking at in Network preferences will become the current location and all of the other changes will be saved.
How do you save all of the changes to other locations without changing which location is your current location ? You select the location that is currently active and then hit "Apply now". So what happens if you just close the window ? Does that save or discard the changes ? Does it save changes to other locations but not change which one is current ?
These four are clearly inconsistent and all made by Apple. I have no problems with remembering these but on the other hand I have no problems remembering hundreds of different command-key shortcuts over several different versions of three different operating systems. Average users, in my experience, have some troubles.
Apple do some things very well (which is why I use Apple almost exclusively and work in tech support for an Apple-based company) but some things are close but still not quite right. UI consistency is one of those things.
Well, at least it's real text. They could have scanned the whole magazine and just displayed it as a single image per page.
It seems that the most highly moderated pots in this thread are those in support of good grammar and spelling and (mostly) those that contain good grammar and spelling.
One conclusion that I can draw from this is that moderators like good grammar and spelling.
Further on from this, I would conclude that moderators generally have to have good grammar and spelling in order to be able to recognise it and appreciate it.
Moderators get to be moderators by having their posts moderated up (having positive karma) and by meta moderating. Posts are moderated up by other moderators who like good spelling and grammar. Therefore the moderation system is a vicious cycle where those in power tend to promote people like themselves to positions of power.
Not that I mind however. I have done my share of moderating and I much prefer posts that are easy to read because I don't have to make sense of a garbled message.
Was there ever a Mac version of Castle Infinity made ? Macs weren't nearly so popular back then and even if there had been one made it would only run in Classic mode.
What are the chances of a version being ported to Mac OS X ?
The trouble with cutting off the head is that you end up with a perfectly good army just waiting for a suitable leader to come along... and we all saw how well that worked for Yoda.
The computers that form the botnet are still compromised and are still just as dangerous. If they have a hard-coded IP address to receive instructions from the vigilantes can make sure that IP address doesn't issue instructions but if the instructions are received in a less centralised way then I can't see how they could stop the instructions being sent.
Maybe what we need is a follow up deconstruction of the command protocol to allow an effective "self destruct" command to be sent. (Obviously there won't be a self destruct command but there is often the ability to download a new binary file and execute it.)
When cars were still a new thing, everybody that owned a car needed to know how they worked or they ran the risk of not getting where they were going.
:-P)
Cars are reliable enough now that you only need to take them in for a check up every 10,000Km or so now and when you do, the mechanic inevitably says "It's gonna take a week for parts and it could cost a bit."
That's where computer security is heading. People will take their computers in (or just ask a technician to check it online) every month or two months and for a nominal fee the technician will update the virus definitions (coolant top up), check for ad/spy-ware and clean the gunk out (oil change) and update any programs that can be updated for free (general tune up).
If someone wants extra software or hardware installed, they go to the same technicians and have it done there (having fancy extractors/blowers or whatever installed. Kinda funny that those items are installed in computers these days too, not just cars
Some people will know how to fix their own computers, just as some people these days know how to fix their own cars. Some people will not have their computers serviced as often as they should, just as some people do with cars. Some people will know just the basics, like upgrading programs and virus definitions (hell, it's one button and it automatically reminds you when it's due. It's not that hard people !) just like they can top up oil and change their own tyres now.
There's no doubt in my mind. That's where computer security is heading.
It is true that that script wouldn't do much without root privileges... but a slight change and it could be quite devestating.
/
Simply rm -rf ~ instead of rm -rf
Sure, it doesn't wipe the whole computer. It will still boot up, you can still even log in. But everything will be gone. Documents, songs, even your Dock will be reset back to the default.
Also, if the user was an Admin user (The default account is an Admin), you could change it to sudo rm -rf / and it would prompt them for their password. Not the root password but THEIR password... and then happpily delete the entire hard drive.
It wouldn't be hard to include instructions on how to run this... in fact you could even get them to type the entire script in using pico (most people would get too confused using vi from instructions in an email) themselves and then run it thus avoiding the need to have an attachment. (How many users have you told never to open attachments because they could be viruses ? None ? Well why do they all think that ?)
Social engineering is not hard when the victim is not a power user.
Mac OS X is more secure in general, but a more powerful system has more things you can do with it and therefore more ways you can screw it up.
For some users, education is the answer. For others, restricted privileges and a competent Sys admin is the answer.
No... you have to read ALL of the article, and even in that case, (cheating in online games) it's not so much about trusting you but trusting all the other guys out there who do cheat. I have no problems with complying with things that prevent cheating in online games.
Similarly, online banking requires the trusted computer be mine, but in the end I'm a lot happier about it because I know that no one else can access my bank account.
Many of the other example actually don't require you to have a trusted computer at all, but simply to check that some server's computer is trusted. eg. Online gambling.
The most important thing to remember here is that it's not just Microsoft that is trusting you. The game server admins need to be able to trust you, the bank needs to be able to trust you, your boss wants to send out a confidential email with the confidence that it can't go beyond his ability to retract needs to trust you. None of these people can trust you (this isn't an attack on YOU but rather a generic "you" that is Joe average out there.) so they need to enforce this protection.
For that purpose, TC seems like a good idea and, in a perfect world where software was written without bugs and was available to everyone no matter of their location, language or preference for OS, it would mostly be a great thing.
No one can stop you using your computer, even with TC. They CAN stop you accessing certain content at all and they can stop you accessing certain content with anything other than certain programs. They can even stop you using certain programs without paying for them.
This may be seen as bad, but it makes me wonder if I want to see that content or use those programs at all.
I'm quite happy with my combination of Mac OS and Linux and I suspect that most of the things I want to do with computers in the future will be mostly free from TC restrictions.
All up, I like some of the aspects of TC (secure banking, gambling, gaming, document control), but it is important that the choice always exist. If the only way to use your computer to view content in the future involves TC then there will be a very large effort put into breaking it and proving it worthless. What this will probably do is to make the petty crimes like making a mixed CD to play in your car CD player and then making a copy for a friend or pirating a five year old app to run on a similarly aged computer (today's computers in five year's time) into larger crimes that will involve more effort (hardware and software hacking).
One last thing... what is to stop a person with a trusted computer copying a confidential email into another email app and passing it on unprotected ? Or passing it on by word of moutth ?
So you're limiting exploits to script kiddies who need to recruit hundreds of machines to do their ddos attacks on their favourite target for the week ?
The single professional hacker who exploits MY work server and modifies/steals the data contained is far more devestating than even a ddos directed at me by a script kiddy, but because professional hackers don't brag about their exploits in irc, these vulnerabilities will go largely unnoticed by MS until someone else discovers it and exploits it large scale or posts it to a discussion on security so that MS can fix it.
Large scale exploits are not the only concern here.
On another note, if you discover that you have been hacked, you would try to remove any backdoors that may have been installed and upgrade/re-install all your software but how do you figure out which exploit was used ? Is it a known exploit or is it a new one ?
I visit a website that has been hacked and taken down twice in the last two months. It seems that the maintainer simply didn't know how they got in, so put the box back up with basically the same configuration, plus some security patches from the distro website but it obviously didn't include the right patch, or possibly it was a configuration thing and not buggy software at fault so they got in again and hosed his server again.
So, how do you determine how they got in apart from scanning your own box for vulnerabilities and assuming it was one of those ?
This disturbs me. I have completed two years of a Comp Sci degree and I have been taught Java and a little html. I hear that a new teacher has taken over that subject and the now learn css as well.
Whoopee.
We were taught jsp, and given the option to do our major assignment in php instead if we liked. They didn't teach us any php, nor supply a computer to host it on, but after some research on the market share that php had and the way it was growing, I decided to take the road less travelled.
I was the only one.
I taught myself php and figured out installing it, creating a dynamic dns so I could host it on my dialup account, installing mysql and getting the whole lot to work together.
It may not sound like much, (it doesn't to me now) but I had no help, and this was a group assignment I was doing on my own.
Now I'm employed as a web devloper creating web-based systems using php and mysql.
We have not been taught C or C++, no assembly, no php, no xhtml, no css, no bash. Yes, the taught us enough of how to manage our files (cd, ls, rm, and a supplied script for mounting floppies), but nothing serious like scripting or evening piping one command to another.
I have very little idea about memory management, and yet the university claims that they are teaching me "programming concepts" that will enable me to learn another language very quickly. I should be able to just pick up C and start.
I was stuck with my first C++ program for days before someone told me that I should be using g++ to compile it instead of gcc.
All this makes me wonder. What have I learned at Uni ? What jobs can I apply for NOW ? I can apply for a job programming in C++, but who would hire me if I told them I had a degree in Comp Sci and I'd never used C or C++ ? Sure, I can probably learn it quickly given a decent programming guide and a reference guide but it makes me ask again... why did I go to Uni ?
I taught myself Apple Basic at the age of eight by looking at the code of the games that came with our Apple ][e. OK, I had some help from a couple of books from the library that had some simple 50 line games listed in them but the point is that I learned it with no help other than that. If a University has charged me $600 per semester per subject to teach me one language and the ability to learn more, and I already had that... I wonder what point there is.
Up until now, I thought this is what Uni Comp Sci was all about. This is what they teach everywhere. How wrong was I ?
The three most useful subjects I did were Theory of Computation, Algorithmics and Advanced Algorithmics. No programming was taught, when you were expected to write code it could be in C, C++ or Java but nearly everyone chose Java because that's all they knew.
What we learned was that the difference between N^2 and N(Log(N)) was far more important that any optimisations you could tweak in assembly language.
So, the final question remains; am I better off with a degree in Comp Sci and only one language under my belt (I don't count Apple Basic anymore) or am I better off teaching myself C and trying to get a job and some experience.
I suppose there should be a third option there: should I simply find myself a better University that actually has a serious Comp Sci course ?
I agree with most of what you said, but :
Linux is free and Free. OS X is neither, and you will pay for that.
Darwin is open-source. They're quite proud of that.
Wouldn't it be nice if there was an equivelant now ?
My whole interest in programming came from reading source listings like in the Beagle Bros. ads and from looking at others programs.
BASIC was open-source because it was compiled at run-time.
Bring on open source ! (how else are we going to learn ?)
You're not alone either... http://panic.com/goodies/