We've obviously been doing better than Russia and most or all of the other former Soviet republics, and capitalism clearly triumphed over communism, but when it comes to personal freedoms, we're doing to ourselves what we feared the Soviets would do to us. Did we really come out on top?
Considering this law is the Stored Communications Act of 1986, and the Cold War wasn't even over yet then, yes, one does wonder.
...
Seriously, I know most people reading this will think this is some "new" law. No, what's "new" is that the already existing law is being *challenged*, or at least the interpretation of it.
So that's a good thing, right?
Or is it better to make it look like a 20-year old law represents some "slippery slope" that we're slipping downward into?
It's a good thing that this was never in the wild (insert someone ominously saying "THAT WE KNOW OF..." here) and is now fixed, then, isn't it?
And actually, this has nothing to do with "integrating all (?) its OS components with the web browser". It has to do with QuickTime movies being able to be embedded in a web page, which is perfectly appropriate, and another supported feature of QuickTime, namely QuickTime for Java, being able to take instructions from a Java applet, like it was designed to do. None of these things are "bugs", but the confluence of them in this circumstance allows a malicious applet to take imagery from the camera via a Quartz Composer composition. This has ZERO to do with "integrating OS components" into the browser. This is all done via QuickTime and QuickTime for Java, which can be accessed via the browser. Oversight? Yes. Now fixed? Yes.
As for how long you think a malicious ad doing *anything* on a major network would survive, let's just say "not long". By that logic, you could make the same claim about things that install malware via browser vulnerabilities on any platform: "But what if you got this on a popular site?!?" Yeah, what if?
I should also note that, for government/military customers, Apple does have a contractor that can physically disconnect the iSight and internal microphone as part of the procurement process, and meets GSA schedules and requirements for "no-camera" or "no-microphone" environments; additionally, infrared, Bluetooth, and AirPort can also be disabled. This does not void any waranties. That contractor is:
Holmans 6201 N. Jefferson Ave Albuquerque, NM 887109 Tony Greiner 505 343 3529 tgreiner@holmans.com
GSA schedule GS-35F-0341N DOE authorized (LLNL and LANL) DOE "L" clearance personnel
For individual customers, any Apple Authorized Service Provider can disconnect any or all of the above components, and are happy to accommodate such requests. Such requests also do not void warranties.
Again, these components can all be disabled by software means in managed environments where physical disconnection/removal of the device(s) is not a requirement.
I should note that this trick could technically be done any any platform with a camera: run malicious software designed to send imagery from an attached camera somewhere. But in the case of Mac OS X on Apple hardware, it becomes interesting because Apple has already done all the work to drive the camera and display within QuickTime (via Quartz Composer, the integrated camera and drivers, and so on), and then QuickTime for Java can be used via a malicious Java application or applet (which still has to be run, of course) to send images remotely. After Security Update 2006-008, a Java applet (unless it is a signed applet that is specifically allowed by the user) can no longer make such such calls to QuickTime for Java.
Of course, an application running on your local machine can do anything it wants. So it's not surprising that a malicious Java applet/application could, well, do malicious things.
For those who don't know, a Quartz Composer composition saved as a QuickTime movie can display the iSight image locally. Since QuickTime movies can be embedded in web pages, you can create a movie that displays the *local* iSight image back to the person, locally. Nifty, right?
But is interesting is that via Java hooks in QuickTime for Java, a Java applet could be used in conjunction with this Quartz Composer movie to do anything that a Java applet could instruct QuickTime to do - including take a shot of whatever is being displayed in the QuickTime movie - and then do anything else a Java applet could be designed to do - in this case, potentially send that image somewhere.
So, this could be done on any platform with a camera, since all it is is malware running to perform a specific task.
But what's more interesting is:
- All Mac OS X systems will always have QuickTime, and thus always have the capability to run such a composition - All Apple laptops have cameras that cannot be easily disabled (of course (unless the LED is burnt out) due to the way the iSight is set up electrically, the green light will always be on when in use)
The ubiquitousness of iSight camera is what makes this little trick interesting. It also raises issues such as: why didn't Apple offer an option to delete the camera (especially for government/military customers, as other vendors, like Palm, do), and why didn't Apple offer a mechanical shutter for the iSight on all models?
In any case, it's fixed with Security Update 2006-008, but a legitimate Java application, i.e., one you trust, could still do just that. Which stands to reason, of course, since code running on your machine - even if instantiated by a web page - can really do anything that you have permission to do, including delete files. That's the nature of applications.
One other note: you can indeed disable the iSight by (re)moving:/System/Library/Extensions/Apple_iSight.kext/System/Library/QuickTime/QuickTimeUSBVDCDigitizer .component
In sum, the reason why this is interesting is because of the ubiquitousness of the Apple iSight on Apple laptops and the fact that it's ready for use. But, someone still has to visit a malicious site and run a malicious Java applet - user interaction: the hallmark of Mac OS X vulnerabilities!
I, for one, have grown quite tired of Apple and the the MacFanBoi's claims that OS X is perfectly secure.
1. Apple does not, and never has, claimed Mac OS X is "perfectly secure" or anything near "perfectly secure".
2. No reasonable person makes that claim. If some jackass wants to say that Mac OS X is invulnerable, they're exactly that. A jackass.
Its even prevalent on the securityfocus list dedicated to Apple products, where every security concern, malware or exploit is somehow poo-poo'd into not existing. (Reference: Apple dmg and safe files problems; reference: wireless driver exploits; ad nauseum.)
What's prevalent? If you're talking about the focus-apple list, we've already collectively decided that Safari's "safe files" feature should be disabled by default at a minimum, and preferably discontinued altogether. As to the wireless driver exploit, which is fixed, Johnny Cache, David Maynor, nor SecureWorks, to this day, provided Apple with ANY useful or verifiable information the vulnerability even existed. Remember, they were presenting themselves as professional security researchers with a "responsible disclosure policy", even hiding the brad of the 3rd party wireless card they used, to this day (we have since discovered it was the Raytheon RayLink chipset). Krebs totally sensationalized it, as is typical for him. Further, this vulnerability was a general 802.11 vulnerability, which affected far more chipsets than the ones Apple uses, and far more operating systems, including Windows and Linux. But Apple got ALL the bad press, alone, for a vulnerability that is actually quite difficult to exploit in practice and, even then, requires that the attacker be within 802.11 range.
Anyway, yeah, please do take a look at those lists. Since Mac OS X is by far the most used desktop operating system other than Windows, is it any surprise it would show up on the SANS list? Behind everything Windows-related, of course.
I'm really hoping that the month of Apple bugs shuts up Apple,
Well, since Apple doesn't claim that Mac OS X is anything you've claimed they do, and in fact doesn't even comment on security issues before they are patched, it probably won't be too hard to "shut up" Apple, since they'll be almost completely silent on this issue.
shuts up the MacFanBio,
Unlikely.
and actually gets someone paying attention to the damn things
Macs can already be managed quite well in a corporate/enterprise setting with an IT staff anywhere remotely worth their salt.
-- at least as far as to kick them and their users out of the corporate environment.
It really irks you that people use Macs, doesn't it? And that the share is growing, especially in academic, research, and enterprise environments? Well, sorry bud, but that's going to continue, and for good reason: it's a manifestly more secure operating system, not just for reasons of marketshare, and people are sick of Windows and all of its problems.
And for non-managed systems, there is no question that Mac OS X is the better choice for the typical general purpose desktop user. Look how quickly a typical user gets a Windows system packed with spyware and how much malware, including self-propagating malware, and all manner of vulnerabilities, including ones exploitable from remote in Windows' stock configuration, that keep getting discover
This has nothing to do with whether or not holes will be maliciously exploited by some; of course they will be.
What matters most is how Apple responds to issues once it knows about them, whether it discovers them internally, is privately informed, or finds out via a project like this.
You can't fix a bug you don't know about, and saying Apple should somehow magically know about them all itself is disingenuous. All software will have bugs, and people other than the vendor will always discover some of them. Some of these bugs will be able to be used as avenues for exploit.
The only question is whether, as a responsible security researcher, you give the vendor a chance to respond before disclosing, or not. This has zero to with what other malicious people will do.
I understand you're probably one of those people who doesn't think there is any value at all in informing the vendor and giving them an opportunity to fix an issue before widely disclosing it, so this discussion isn't likely to get anywhere.
Brian Krebs seems to have some kind of fascination with "proving" that Mac OS X is "insecure" while simultaneously accusing Apple of using strong-arm tactics to try to silence critics. (Note: going after people for leaking confidential information is not the same as a situation in which people are making security issues known.)
Every reasonable person on the planet already knows, and has known, that every OS has bugs, vulnerabilities, and security issues, and Mac OS X is no exception. The simple, undeniable truth is that for a variety of reasons, including marketshare and the security architecture of the OS, Mac OS X is a far more secure general purpose desktop operating system for most users than any viable alternative. There is almost zero malware of any kind "in the wild", no malware with vectors for mass propagation, and little with ANY kind of propagation capability whatsoever. And contrary to popular opinion among some, Apple does indeed respond to, and fix, security vulnerabilities, including crediting the discoverer(s) when said person or entity provides Apple with enough information to verify the issue. It has continuously and consistently improved on this front, mostly as a result of working with people in the enterprise and academic communities (e.g., Apple University Executive Forum and MacEnterprise.org). There is always room for improvement, but we have seen Apple make marked progress in disclosing, accurately describing, and fixing vulnerabilities in Mac OS X. As with most commercial vendors, Apple does not comment on security issues before they are fixed. So don't expect Apple to make public statements and explanations of any kind until after a particular vulnerability is addressed.
What should be "interesting" to see isn't whether or not Apple "does anything" to "scuttle" the project; it will be whether Apple has previously had any chance to respond to any of the issues that will be disclosed. If not, this little project doesn't prove anything at all, other than that every operating system, Mac OS X included, has bugs. (Duh?) What's important is the general security architecture, practical security state-of-affairs on the platform, and how the vendor responds to issues. I'll be far more interested to see how and when Apple responds to the issues raised, and if it properly "triages" the issues and handles them accordingly (on this note, predict that people will complain Apple is taking "too long" to fix some of the issues, when in reality it is devoting programming and testing and QA resources to the issues in the order of importance and impact).
It's not "up to 5 times" that you can copy the songs.
It's up to 5 computers that you can have authorized to play your purchased songs at any one time. How many individuals realistically have more than 5 computers that they legitimately want to play iTMS-purchased music on? The non-sophist answer? Not many.
Also, you can play the songs on an unlimited number of iPods, which is likely the music player you're using if you are using the iTunes/iTMS universe.
If you do have more than 5 computers that you simultaneously want to have authorized, you have some choices:
- Do not buy music from the iTMS. No one is forcing you to do so.
- Burn your purchased music to CD. Rerip and use as you see fit.
It's not about "my version" of "copy". It's about you being wrong and disingenuous in your post. Of course DRM has restrictions. That's the purpose. The key is to make it unobtrusive and indeed almost invisible to the vast, vast majority of your userbase, which is exactly what Apple's DRM is.
Imagine having a 1000+ collection of itms songs, then your iPod's battery dies.
Nice try. There are so many ways to replace an iPod battery (including official Apple methods) that it's laughable (and every battery powered device requires eventual replacement, which can happen with the iPod for $20 or less):
It's "circumventing DRM" in that context of doing it illegally, if that's what you mean. It is using a legal, advertised, allowed, known feature of the product: when you burn music purchased from the iTunes Music Store to a standard Red Book Audio CD (i.e., a normal audio CD) with iTunes, there is, by nature, no more DRM. It then follows that you can do anything with the music you see fit. It's also something that an ordinary person can do with ease, because burning purchased music to CD is an integral part of iTunes. The music can then be played in any device that plays audio CDs. Further, you can re-rip the CDs in any format you wish on any computer running any applicable OS, none of which would be encumbered by DRM, at which point the music could be played on any device.
So it's inappropriate to say "iPod has DRM that is unclear and difficult to deal with if you want to play your iTunes purchased music and videos on anything but an iPod, but that hasn't stopped consumers from adopting it," because that doesn't apply to music at all, and even in the case of videos, the videos can be played on:
- Your primary computer - Up to five other authorized computers - An unlimited number of iPods - On your TV or any external video monitor via the iPod A/V cable or iPod Dock - On your TV or any external video monitor via the forthcoming iTV
I know it's fashionable to rip on anything that has DRM, but Apple really has made it unobtrusive, and that's precisely why people adopt and use it.
Burn music to CD -> reencode in any format desired -> play anywhere.
Yes, this is only for music, but the point stands.
And yes, it's an extra step, but the point is that it's easy for anyone who wishes to do so to do just this.
(Yes, yes, yes, there will be losses from compression, but they are so negligible, almost ALL people will not be able to discern any difference in quality whatsoever. And if you're an audiophile-type who can, then the original AAC encoding isn't good enough for you either. So, the "but what about compression losses" is a bogus argument.)
- You can "copy" (or backup, or move, etc.) the songs purchased from iTunes an unlimited number of times.[1]
- Songs purchased from iTunes can be burned to CD (and thus stripped of all DRM) an unlimited number of times (playlists can be burned a limited number of times (seven), designed to prevent people from making copies of, say, a purchased album en masse; however, you can make a new, identical playlist, or change one thing about the playlist and then change it back, and it can continue to be burned as many times as you wish)
- Songs purchased from iTunes can be played on an unlimited number of iPods of any model
[1] Not only can you copy the music as you see fit, a new feature in iTunes 7 actually allows your authorized machines (up to 5) two-way sync all purchased music from any iPod. So even though people say, "Yeah, iTunes DRM may be okay now, but they can always tighten it in the future," Apple has actually reduced the restrictions and introduced features that give customers more flexibility.
In any event, slight compression losses aside, you can ALWAYS burn the music to CD an unlimited number of times, stripping all DRM permanently, and even reencode in any format of your choice. Yes, yes, yes, there will be losses from compression, but they are so negligible, almost ALL people will not be able to discern any difference in quality whatsoever. And if you're an audiophile-type who can, then the original AAC encoding isn't good enough for you either. So, the "but what about compression losses" is a bogus argument.
Lastly, this isn't about whether DRM is "good" or "bad". It's simply a fact of life, and will absolutely continue to exist as long as the rights owners have anything to say about it under current legal frameworks (i.e., for a LONG time). The key is making it as unobtrusive as possible, which Apple has done for the vast, vast majority of customers in spades.
Nice job at being wrong at pretty much everything about iTunes purchases in your post, though!
Seriously, ANYTHING can be a "subgenre" of something, and you'll always be able to find someone or group out there who likes anything. The answer is, it's already a "subgenre".
If the question is, "Will nerdcore ever be popular beyond my really small group of friends and I who never get laid?" then the answer is, "No."
So I suppose it would be somewhat ironic to point out the articleright below this one on the front page entitled New Zealand's First Land Mammal Discovered?
Bob Beale writes to clue us to big news from New Zealand. The country has long been thought to have been devoid of land mammals until recent times. No mammal fossils had ever been found there; but now one has. From the article: "Small but remarkable fossils found in New Zealand will prompt a major rewrite of prehistory textbooks, showing for the first time that the so-called 'land of birds' was once home to mammals as well. The tiny fossilized bones -- part of a jaw and hip -- belonged to a unique, mouse-sized land animal unlike any other mammal known... The fact that even one land mammal had lived there, at least 16 million years ago, has put paid to the theory that New Zealand's rich bird fauna had evolved there because they had no competition from land mammals."
Just because he can't play piano or drums, he clearly still knows what sounds good, has a sense of beat, tempo, and melody, and knows how to use editing software.
I'd wager most modern music is made just like that, and involves a lot of people who would meet this definition of "unskilled" musician.
IE was killed because it provided no revenue stream for Microsoft, and hardly any mac users use it. Once Apple started shipping their own browser with the OS, IE was Netscaped.
Wrong. Before Safari, almost all Mac users used IE, and for a significant amount of time afterward. The Mozilla/Firefox family of browsers were nowhere near as mature as they are today. Also, MacBU didn't kill Mac IE. It was killed from outside of MacBU. The only reason people shifted from IE so quickly was because Mac IE was so far behind Windows IE. When IE 6 would have shipped, it would have been the browser of choice of many. Granted, Apple has the same advantage Microsoft did by bundling a browser, but it wasn't a tactical decision to kill IE - it was a strategic one from outside MacBU.
Access, Project, and Visio aren't released because there are not ENOUGH customers demanding it. Porting those applications to the Mac would cost more than the MacBU's current total revenue.
The first part of your statement may be true, but you actually can't actually make the second part of your statement with any certainty. The point is that the response that "our customers don't want this", given to the very people telling them they want this, is not a valid answer. Further, some of these products (Project, Outlook) did previously exist on the Mac platform. They weren't killed because they were "unprofitable". They were killed because they didn't fit Microsoft's overall strategy.
VPC was completely unnecessary. Why spend a bunch of money porting an application when everyone is going to dual-boot anyway?
Better tell that to Parallels and VMWare...
Seriously, most people DON'T want to dual boot. The only reason some people will is for 1.) games, 2.) because it's the "free" solution, or 3.) extremely small numbers of other uses that require native booting and wouldn't work in a VM.
Microsoft could have made Virtual PC free on Mac (as they did on Windows), and still have it be net profitable because of the Windows licenses that would be required to be purchased for people to use Windows within it legally.
Can you even *imagine* Connectix killing Virtual PC once Apple announced the Intel transition? They'd be thanking their lucky stars and singing and dancing all the way to the bank. Microsoft, on the other hand, recognized that this would make Virtual PC an actual usable product on the Mac platform, and thus, immediately killed it.
VBA was killed from the next MacOffice as a direct result of the platform change. To port that logic, they would need to double their resources. Given the thin profit margins that exist in the MacBU, doubling their costs would result in them losing money.
Of course it was killed because of the platform change. Microsoft only had, what, half a decade to move to the primary recommended development environment for Office on Mac OS X? Also, your second statement is incorrect, because Mac Office is very profitable for MacBU, and the margins are anything but "thin".
It shouldn't take much thought to understand why these decisions are being made.
Nice anonymous troll overall. Bravo.
The decisions Microsoft has made haven't been business ones in the sense you're thinking. Sure, they're business decisions, but they've been business decisions in the context that they're shrewd moves designed to hurt the Macintosh platform while still appearing to be outwardly friendly by oh-so-graciously continuing to make Office (now utterly crippled for many corporate/enterprise customers), and specifically designed to ensure, insofar as Microsoft has the power to do so, that the Windows monopoly is maintained and that Windows is the only usable platform for the Microsoft economy that is already pervasive in so many organizations. It's not a conspiracy theory. It's just the truth. And from that perspective, Microsoft would be stupid to do anything other than exactly what they did. They can obviously get away with it, and anything that hurts pretty much the only other viable desktop platform is good for Microsoft.
First of all, this news is over fives months old, and has been widely covered and known about since then. MacBU's Erik Schwiebert has a very detailed post and followup (also mentioned in the article) about exactly why Microsoft is dropping Visual Basic in Mac Office. The bottom line is that it was a difficult decision, and anyone who reads the posts will be able to understand why the decision was made.
The people at Microsoft who work within MacBU really do care, and really do take pride in their work. But overall, Microsoft seems to be making moves - decisions not made within MacBU, or decisions forced on MacBU because of resource allocations - that are strategically designed to hurt the Macintosh platform, but not appear to be doing anything overtly.
Examples:
- Killing Mac IE the day Safari was introduced even though Mac IE 6 was well underway and had been in development for over a year and was about to hit beta.
- Never releasing Access, Project, or Visio for the Mac platform even though enterprises (particularly academic institutions) have been increasingly demanding it for years. Microsoft's response? "Our customers don't want these products."
- Killing Windows Media Player for Mac, and making it look like going with the Flip4Mac QuickTime Windows Media codec is doing Mac users a favor, when Flip4Mac will never support Windows Media DRM, which Microsoft views as key to their future Windows Media strategy, leaving Macs unsupported (whether DRM is a good or bad thing is irrelevant to this point).
- Killing Virtual PC for the Mac when the Intel transition was announced after initially committing to support it, even though Microsoft was probably in one of the best positions to quickly release a virtual machine version of Virtual PC (can you imagine Connectix killing Virtual PC after the Intel transition was announced? They'd be jumping for joy!), and then subsequently making Virtual PC free (on Windows).
- Killing Visual Basic in Mac Office, which will make it DOA in many enterprise/corporate environments whose documents depend on VB scripting.
I could go on and on. These are all expert strategic moves, not by MacBU but by Microsoft at large, designed to hurt the Macintosh platform as much as possible while still appearing to be "friendly" to the platform (by continuing to release Office).
Fortunately, with Boot Camp, Parallels Desktop, and the forthcoming VMWare Fusion, new Mac users are feeling increasingly comfortable with Mac purchases, because they know that they can run Windows if they really need to, but often find they don't need it as much as they thought they did. For many, it's a security blanket to get them over the hump, and for others it does enable them to run those Windows (or other x86 OS) applications they need or want to smoothly and efficiently. In many academic/research enterprise environments, many people can't see a reason to get anything OTHER than Mac hardware now (especially for laptops), as it can essentially run anything. And in an environment where an institutions own IT capability will "support" things like Boot Camp usage, it's not a difficult decision to make.
Microsoft's maneuvering will ultimately be futile. Windows "won" the "desktop war" long ago. But now, as with Firefox, people are realizing that there are real, viable alternatives that might actually be better than the status quo.
Apple may not have an official corporate blogging outlet like some enterprises, but some Apple employees do in fact blog in a (sometimes quasi-)official capacity.
Dave Hyatt's (now WebKit's) Surfin' Safari is one notable example of success, with Apple engineers being able to directly blog and communicate with end customers. It has now become a blog for all of WebKit, where other WebKit contributors - some within Apple and some not - can post as well.
Mac OS forge (and the hosted sites within it) is another recent example: Apple engineers, blogging, on servers owned and hosted by Apple. This wouldn't have happened a few years ago, and was a result of responses to community concerns about Apple's interaction with the open source community. (And no, it's still far from perfect, but the interaction is increasing, and that's a good thing.)
Both of these examples of Apple blogs are also open for comments, something some corporate "blogs" don't allow.
So are these "official Apple blogs" in every sense of the phrase, or in the vein that the article is intending to discuss? Maybe not, but it represents a lot more openness than Apple ever used to exhibit in this context. And anything greater than zero is "more open". Will Apple ever open up blogging to just anyone or blog about futures and abstract ideas? Unlikely. But there are notable exceptions to the blanket statement that "Apple doesn't blog".
Before anyone thinks this might be an indication that memories can be "implanted", I think this may be jumping to conclusions just a tad.
The blog post and the preprint make reference to the notion that people who experienced a "virtual" digital camera were more capable with the real thing...but also "remembered" things about it that weren't true, based on questions asked.
I fail to see how this is "inducing" false memories. Could this possibly be a function of the fact that the simulation isn't 100% accurate, and that "false" "memories" about the item (determined by the number of specific or leading questions that are incorrectly answered) would be reduced as the simulation gets more and more close to, well, reality?
Besides, I think we could do a study and prove that plenty of people have "false memories" with regard to the actual capabilities of real devices...
I don't care if the "average Mac user" thinks that Mac OS X has no bugs, is invulnerable to everything, and will dance a jig if they ask.
Effectively, for almost all desktop users in any environment, Mac OS X is much more secure, much less attacked, and much safer to use from a malware perspective, for almost all average users, period. Some of the reasons are due to marketshare, some are helped in part by marketshare, some are because of architectural decisions, and some are a mix of multiple reasons. But regardless of what someone "thinks", Mac OS X is still a manifestly safer OS for an "average user", and there is simply no disputing that.
If you want to get people to understand that even Mac OS X has bugs, great. (Duh?) If you simply want to make stupid people no longer stupid, that probably won't work. The average person doesn't care. All the average person knows, when they make the switch for example, is that their Windows box was packed with spyware and adware and then "got slow" and had multitudes of typical Windows problems that typical people have, and they don't have the same problems with their Mac.
Do Macs have problems and bugs and vulnerabilities? Yes. Will anyone win the pissing match of "which one is better" when it's not done for any reason other than to be a pissing match, like this article seems to be doing? No.
The issue is having an actual usable vector for mass-propogation, resulting in the massive downtime and recovery time, billions of dollars of lost productivity, and tens of thousands of manhours in remediation. That's not to say no one could ever find some suitable vector for propagation that can strike large numbers of Mac OS X users effectively; just that it's very unlikely for a variety of reasons, not the least of which is that these days, most Mac OS X computers aren't exposed in such a way that anything could effectively spread en masse remotely without user interaction.
Almost everything relies on some form of user interaction, and yes, these things are still bad, especially ones that take advantage of some shortcoming in the OS. What's laughable about the submission is that it makes it look like it's "bad" that Apple fixed oh-so-many vulnerabilities, and then complains that it's not fixing enough. Apple does fix issues reported to them, period. And yes, we all have stories about this or that outstanding bug or vulnerability that is still open, but Apple has markedly, hugely improved, mostly because of listening to feedback from customers, particularly enterprise customers, in the security arena. It does have a way to go, and whether or not any fix is "fast enough" will always be subjective.
No one sane ever said Mac OS X was invulnerable. It has bugs and vulnerabilities like any OS. Apple responds to them. Someone will always think they're not responding fast enough, or correctly, or what have you, but the fact remains that Mac OS X has been on the market for over 5 years, and there has yet to be any substantial issue that has been exploited on any scale. And no, it's not exclusively because of marketshare.
Why aren't we simply fighting for a permanent voter-verified paper trail, instead of always saddling every e-voting initiative with demands that EVERYTHING, hardware and software, be open source?
Don't get me wrong: I'm not saying it's not a good idea.
What I'm saying is this: since, even if recounts must be requested every time, a permanent voter-verified paper trail (and a true comprehensive system with regular audits and comparisons between paper vote counts and tabulations) solves almost everything, why are we instead trying to essentially unseat established, commercial enterprise e-voting vendors?
Wouldn't a more productive approach be to simply get a paper trail into place, since even an open source system is almost as worthless without one?
Keep in mind, too, that an open source system still needs to go through complex certification processes and code freezing just like the commercial products do. Even though the commercial products aren't "open source", the certification process allows for the necessary level of inspections by election agencies and external entities. The problem was the certification procedures being routinely ignored or bypassed for convenience, something that can just as easily happen with an "open source" solution.
The problem is that doing an electronic, anonymous, secret ballot that also exists in a system that attempts to enforce one-vote-per-person, combined with all the complexities and vagaries of local municipal and county systems is a lot harder than doing a vertically integrated system for one corporate customer (such as a bank).
Keep in mind, too, that much of the legislation (such as the Help America Vote Act) that essentially mandated e-voting in the hopes of ensuring uniform access to modern voting equipment was done in response to complaints about unfairness and inconsistency with manual systems in the 2000 elections, and not just in Florida. The one critical error was not explicitly recognizing that an electronic secret ballot is a hard thing to do, even without corruption, fraud, and incompetence, and a paper trail wasn't specifically mandated. And no, that wasn't by design. It was an error of omission.
Now, states, counties and municipalities have had to shell out hundreds of thousands, and sometimes millions, more dollars to add and retrofit certified paper trail functionality to existing systems (which, indeed, many are doing). But all e-voting vendors offer it. It just costs a lot of money.
So instead of trying to push out enterprise vendors with multi-million dollar contracts (which is essentially what demanding "all open source" would do, since no commercial vendor is going to open up ALL of their software and hardware code and designs), why not just work to get a permanent voter-verified paper trail in place in as many places as possible as soon as possible, perhaps even mandating it via legislation, since that will be required no matter what system is implemented?
What's more important: the egos of the people who have a vendetta against Diebold, Sequoia, and ES&S, or actually getting a mechanism into place as quickly as possible that guarantees votes will be accurately cast and counted (and at a minimum immediately shows if there is a problem? (And yes, I DO expect the burden of actually looking at the piece of paper to verify that it's correct to fall on the person who is voting.)
I'll make you a deal - I'll stop being interested in them when you stop feeling compelled to tell me they aren't of interest.
Witty, but how exactly is this interesting?
The point wasn't, "This isn't a virus," it's, "Why is this on the front page of slashdot?"
This isn't like someone trying to say "nothing to see here, move along" to cover up a story; rather, there really is nothing here. Sure, it's a "virus", technically, with no means of propagation that doesn't do anything particularly new or interesting in any way, nor does it exploit any shortcoming or vulnerability in the OS.
So I'll make you a deal instead: you tell me how this is REMOTELY interesting, worrisome, or newsworthy (to this degree), in any way, and I'll take it under advisement.
Rambing? It was an example of how something utterly technically unrelated is used as an excuse to push Apple into the security spotlight again, claiming that because a QA machine infected with a *Windows* virus at one of its contractors means "Apple" is being targeted more by "hackers". (???)
Your turn, please describe, specifically, why you felt compelled to post such an enormous amount of text in the first place?
For accuracy and a comprehensive analysis of the situation, while also preemptively discrediting any incorrect posts about "Bluetooth 0days" and the like?
Is being an Apple weenie that much a part of your self-identity that you find the idea of a Mac virus toxic to the very heart of your being?
No. (And there have been previous Mac "viruses", trojans, rootkits, and other things that fall in the category of "malware". My question was: why is it on the front page of slashdot when nothing is remotely new, interesting, or novel, in any respect, about it?)
This isn't the "first" proof-of-concept for OS X that meets the definition of a "virus". There have been previous examples of malware that has specifically inserted code into other things on the filesystem (the hallmark of a "virus").
What I want to know is, when will we stop hearing about each and every new piece of malware for Mac OS X when they're not even novel, new, or interesting anymore?
Slashdot Mirror
Considering this law is the Stored Communications Act of 1986, and the Cold War wasn't even over yet then, yes, one does wonder.
...
Seriously, I know most people reading this will think this is some "new" law. No, what's "new" is that the already existing law is being *challenged*, or at least the interpretation of it.
So that's a good thing, right?
Or is it better to make it look like a 20-year old law represents some "slippery slope" that we're slipping downward into?
It's a good thing that this was never in the wild (insert someone ominously saying "THAT WE KNOW OF..." here) and is now fixed, then, isn't it?
And actually, this has nothing to do with "integrating all (?) its OS components with the web browser". It has to do with QuickTime movies being able to be embedded in a web page, which is perfectly appropriate, and another supported feature of QuickTime, namely QuickTime for Java, being able to take instructions from a Java applet, like it was designed to do. None of these things are "bugs", but the confluence of them in this circumstance allows a malicious applet to take imagery from the camera via a Quartz Composer composition. This has ZERO to do with "integrating OS components" into the browser. This is all done via QuickTime and QuickTime for Java, which can be accessed via the browser. Oversight? Yes. Now fixed? Yes.
As for how long you think a malicious ad doing *anything* on a major network would survive, let's just say "not long". By that logic, you could make the same claim about things that install malware via browser vulnerabilities on any platform: "But what if you got this on a popular site?!?" Yeah, what if?
I should also note that, for government/military customers, Apple does have a contractor that can physically disconnect the iSight and internal microphone as part of the procurement process, and meets GSA schedules and requirements for "no-camera" or "no-microphone" environments; additionally, infrared, Bluetooth, and AirPort can also be disabled. This does not void any waranties. That contractor is:
Holmans
6201 N. Jefferson Ave
Albuquerque, NM 887109
Tony Greiner
505 343 3529
tgreiner@holmans.com
GSA schedule GS-35F-0341N
DOE authorized (LLNL and LANL)
DOE "L" clearance personnel
For individual customers, any Apple Authorized Service Provider can disconnect any or all of the above components, and are happy to accommodate such requests. Such requests also do not void warranties.
Again, these components can all be disabled by software means in managed environments where physical disconnection/removal of the device(s) is not a requirement.
I should note that this trick could technically be done any any platform with a camera: run malicious software designed to send imagery from an attached camera somewhere. But in the case of Mac OS X on Apple hardware, it becomes interesting because Apple has already done all the work to drive the camera and display within QuickTime (via Quartz Composer, the integrated camera and drivers, and so on), and then QuickTime for Java can be used via a malicious Java application or applet (which still has to be run, of course) to send images remotely. After Security Update 2006-008, a Java applet (unless it is a signed applet that is specifically allowed by the user) can no longer make such such calls to QuickTime for Java.
Of course, an application running on your local machine can do anything it wants. So it's not surprising that a malicious Java applet/application could, well, do malicious things.
/System/Library/Extensions/Apple_iSight.kext /System/Library/QuickTime/QuickTimeUSBVDCDigitizer .component
For those who don't know, a Quartz Composer composition saved as a QuickTime movie can display the iSight image locally. Since QuickTime movies can be embedded in web pages, you can create a movie that displays the *local* iSight image back to the person, locally. Nifty, right?
But is interesting is that via Java hooks in QuickTime for Java, a Java applet could be used in conjunction with this Quartz Composer movie to do anything that a Java applet could instruct QuickTime to do - including take a shot of whatever is being displayed in the QuickTime movie - and then do anything else a Java applet could be designed to do - in this case, potentially send that image somewhere.
So, this could be done on any platform with a camera, since all it is is malware running to perform a specific task.
But what's more interesting is:
- All Mac OS X systems will always have QuickTime, and thus always have the capability to run such a composition
- All Apple laptops have cameras that cannot be easily disabled (of course (unless the LED is burnt out) due to the way the iSight is set up electrically, the green light will always be on when in use)
The ubiquitousness of iSight camera is what makes this little trick interesting. It also raises issues such as: why didn't Apple offer an option to delete the camera (especially for government/military customers, as other vendors, like Palm, do), and why didn't Apple offer a mechanical shutter for the iSight on all models?
In any case, it's fixed with Security Update 2006-008, but a legitimate Java application, i.e., one you trust, could still do just that. Which stands to reason, of course, since code running on your machine - even if instantiated by a web page - can really do anything that you have permission to do, including delete files. That's the nature of applications.
One other note: you can indeed disable the iSight by (re)moving:
In sum, the reason why this is interesting is because of the ubiquitousness of the Apple iSight on Apple laptops and the fact that it's ready for use. But, someone still has to visit a malicious site and run a malicious Java applet - user interaction: the hallmark of Mac OS X vulnerabilities!
Nice troll. Even got me to respond. ;-)
I, for one, have grown quite tired of Apple and the the MacFanBoi's claims that OS X is perfectly secure.
1. Apple does not, and never has, claimed Mac OS X is "perfectly secure" or anything near "perfectly secure".
2. No reasonable person makes that claim. If some jackass wants to say that Mac OS X is invulnerable, they're exactly that. A jackass.
Its even prevalent on the securityfocus list dedicated to Apple products, where every security concern, malware or exploit is somehow poo-poo'd into not existing. (Reference: Apple dmg and safe files problems; reference: wireless driver exploits; ad nauseum.)
What's prevalent? If you're talking about the focus-apple list, we've already collectively decided that Safari's "safe files" feature should be disabled by default at a minimum, and preferably discontinued altogether. As to the wireless driver exploit, which is fixed, Johnny Cache, David Maynor, nor SecureWorks, to this day, provided Apple with ANY useful or verifiable information the vulnerability even existed. Remember, they were presenting themselves as professional security researchers with a "responsible disclosure policy", even hiding the brad of the 3rd party wireless card they used, to this day (we have since discovered it was the Raytheon RayLink chipset). Krebs totally sensationalized it, as is typical for him. Further, this vulnerability was a general 802.11 vulnerability, which affected far more chipsets than the ones Apple uses, and far more operating systems, including Windows and Linux. But Apple got ALL the bad press, alone, for a vulnerability that is actually quite difficult to exploit in practice and, even then, requires that the attacker be within 802.11 range.
Care to explain to me how that's fair?
So you're a troll *and* a liar.
Also reference, for the second year running, OS X itself has made it to the SANS top20 vulnerabilities. http://www.sans.org/top20/?portal=ddc5dd3511b787e1 a2d58aeb8338dfaa and http://www.sans.org/top20/2005/?portal=ddc5dd3511b 787e1a2d58aeb8338dfaa
"Second year running." *Chuckle*.
Anyway, yeah, please do take a look at those lists. Since Mac OS X is by far the most used desktop operating system other than Windows, is it any surprise it would show up on the SANS list? Behind everything Windows-related, of course.
I'm really hoping that the month of Apple bugs shuts up Apple,
Well, since Apple doesn't claim that Mac OS X is anything you've claimed they do, and in fact doesn't even comment on security issues before they are patched, it probably won't be too hard to "shut up" Apple, since they'll be almost completely silent on this issue.
shuts up the MacFanBio,
Unlikely.
and actually gets someone paying attention to the damn things
Macs can already be managed quite well in a corporate/enterprise setting with an IT staff anywhere remotely worth their salt.
-- at least as far as to kick them and their users out of the corporate environment.
It really irks you that people use Macs, doesn't it? And that the share is growing, especially in academic, research, and enterprise environments? Well, sorry bud, but that's going to continue, and for good reason: it's a manifestly more secure operating system, not just for reasons of marketshare, and people are sick of Windows and all of its problems.
And for non-managed systems, there is no question that Mac OS X is the better choice for the typical general purpose desktop user. Look how quickly a typical user gets a Windows system packed with spyware and how much malware, including self-propagating malware, and all manner of vulnerabilities, including ones exploitable from remote in Windows' stock configuration, that keep getting discover
This has nothing to do with whether or not holes will be maliciously exploited by some; of course they will be.
What matters most is how Apple responds to issues once it knows about them, whether it discovers them internally, is privately informed, or finds out via a project like this.
You can't fix a bug you don't know about, and saying Apple should somehow magically know about them all itself is disingenuous. All software will have bugs, and people other than the vendor will always discover some of them. Some of these bugs will be able to be used as avenues for exploit.
The only question is whether, as a responsible security researcher, you give the vendor a chance to respond before disclosing, or not. This has zero to with what other malicious people will do.
I understand you're probably one of those people who doesn't think there is any value at all in informing the vendor and giving them an opportunity to fix an issue before widely disclosing it, so this discussion isn't likely to get anywhere.
Brian Krebs seems to have some kind of fascination with "proving" that Mac OS X is "insecure" while simultaneously accusing Apple of using strong-arm tactics to try to silence critics. (Note: going after people for leaking confidential information is not the same as a situation in which people are making security issues known.)
Every reasonable person on the planet already knows, and has known, that every OS has bugs, vulnerabilities, and security issues, and Mac OS X is no exception. The simple, undeniable truth is that for a variety of reasons, including marketshare and the security architecture of the OS, Mac OS X is a far more secure general purpose desktop operating system for most users than any viable alternative. There is almost zero malware of any kind "in the wild", no malware with vectors for mass propagation, and little with ANY kind of propagation capability whatsoever. And contrary to popular opinion among some, Apple does indeed respond to, and fix, security vulnerabilities, including crediting the discoverer(s) when said person or entity provides Apple with enough information to verify the issue. It has continuously and consistently improved on this front, mostly as a result of working with people in the enterprise and academic communities (e.g., Apple University Executive Forum and MacEnterprise.org). There is always room for improvement, but we have seen Apple make marked progress in disclosing, accurately describing, and fixing vulnerabilities in Mac OS X. As with most commercial vendors, Apple does not comment on security issues before they are fixed. So don't expect Apple to make public statements and explanations of any kind until after a particular vulnerability is addressed.
What should be "interesting" to see isn't whether or not Apple "does anything" to "scuttle" the project; it will be whether Apple has previously had any chance to respond to any of the issues that will be disclosed. If not, this little project doesn't prove anything at all, other than that every operating system, Mac OS X included, has bugs. (Duh?) What's important is the general security architecture, practical security state-of-affairs on the platform, and how the vendor responds to issues. I'll be far more interested to see how and when Apple responds to the issues raised, and if it properly "triages" the issues and handles them accordingly (on this note, predict that people will complain Apple is taking "too long" to fix some of the issues, when in reality it is devoting programming and testing and QA resources to the issues in the order of importance and impact).
It's not "up to 5 times" that you can copy the songs.
It's up to 5 computers that you can have authorized to play your purchased songs at any one time. How many individuals realistically have more than 5 computers that they legitimately want to play iTMS-purchased music on? The non-sophist answer? Not many.
Also, you can play the songs on an unlimited number of iPods, which is likely the music player you're using if you are using the iTunes/iTMS universe.
If you do have more than 5 computers that you simultaneously want to have authorized, you have some choices:
- Do not buy music from the iTMS. No one is forcing you to do so.
- Burn your purchased music to CD. Rerip and use as you see fit.
It's not about "my version" of "copy". It's about you being wrong and disingenuous in your post. Of course DRM has restrictions. That's the purpose. The key is to make it unobtrusive and indeed almost invisible to the vast, vast majority of your userbase, which is exactly what Apple's DRM is.
Imagine having a 1000+ collection of itms songs, then your iPod's battery dies.
Nice try. There are so many ways to replace an iPod battery (including official Apple methods) that it's laughable (and every battery powered device requires eventual replacement, which can happen with the iPod for $20 or less):
http://www.google.com/search?q=ipod+battery
It's "circumventing DRM" in that context of doing it illegally, if that's what you mean. It is using a legal, advertised, allowed, known feature of the product: when you burn music purchased from the iTunes Music Store to a standard Red Book Audio CD (i.e., a normal audio CD) with iTunes, there is, by nature, no more DRM. It then follows that you can do anything with the music you see fit. It's also something that an ordinary person can do with ease, because burning purchased music to CD is an integral part of iTunes. The music can then be played in any device that plays audio CDs. Further, you can re-rip the CDs in any format you wish on any computer running any applicable OS, none of which would be encumbered by DRM, at which point the music could be played on any device.
So it's inappropriate to say "iPod has DRM that is unclear and difficult to deal with if you want to play your iTunes purchased music and videos on anything but an iPod, but that hasn't stopped consumers from adopting it," because that doesn't apply to music at all, and even in the case of videos, the videos can be played on:
- Your primary computer
- Up to five other authorized computers
- An unlimited number of iPods
- On your TV or any external video monitor via the iPod A/V cable or iPod Dock
- On your TV or any external video monitor via the forthcoming iTV
I know it's fashionable to rip on anything that has DRM, but Apple really has made it unobtrusive, and that's precisely why people adopt and use it.
Burn music to CD -> reencode in any format desired -> play anywhere.
Yes, this is only for music, but the point stands.
And yes, it's an extra step, but the point is that it's easy for anyone who wishes to do so to do just this.
(Yes, yes, yes, there will be losses from compression, but they are so negligible, almost ALL people will not be able to discern any difference in quality whatsoever. And if you're an audiophile-type who can, then the original AAC encoding isn't good enough for you either. So, the "but what about compression losses" is a bogus argument.)
- You can "copy" (or backup, or move, etc.) the songs purchased from iTunes an unlimited number of times.[1]
- Songs purchased from iTunes can be burned to CD (and thus stripped of all DRM) an unlimited number of times (playlists can be burned a limited number of times (seven), designed to prevent people from making copies of, say, a purchased album en masse; however, you can make a new, identical playlist, or change one thing about the playlist and then change it back, and it can continue to be burned as many times as you wish)
- Songs purchased from iTunes can be played on an unlimited number of iPods of any model
[1] Not only can you copy the music as you see fit, a new feature in iTunes 7 actually allows your authorized machines (up to 5) two-way sync all purchased music from any iPod. So even though people say, "Yeah, iTunes DRM may be okay now, but they can always tighten it in the future," Apple has actually reduced the restrictions and introduced features that give customers more flexibility.
In any event, slight compression losses aside, you can ALWAYS burn the music to CD an unlimited number of times, stripping all DRM permanently, and even reencode in any format of your choice. Yes, yes, yes, there will be losses from compression, but they are so negligible, almost ALL people will not be able to discern any difference in quality whatsoever. And if you're an audiophile-type who can, then the original AAC encoding isn't good enough for you either. So, the "but what about compression losses" is a bogus argument.
Lastly, this isn't about whether DRM is "good" or "bad". It's simply a fact of life, and will absolutely continue to exist as long as the rights owners have anything to say about it under current legal frameworks (i.e., for a LONG time). The key is making it as unobtrusive as possible, which Apple has done for the vast, vast majority of customers in spades.
Nice job at being wrong at pretty much everything about iTunes purchases in your post, though!
No, and yes.
Seriously, ANYTHING can be a "subgenre" of something, and you'll always be able to find someone or group out there who likes anything. The answer is, it's already a "subgenre".
If the question is, "Will nerdcore ever be popular beyond my really small group of friends and I who never get laid?" then the answer is, "No."
So I suppose it would be somewhat ironic to point out the article right below this one on the front page entitled New Zealand's First Land Mammal Discovered?
Bob Beale writes to clue us to big news from New Zealand. The country has long been thought to have been devoid of land mammals until recent times. No mammal fossils had ever been found there; but now one has. From the article: "Small but remarkable fossils found in New Zealand will prompt a major rewrite of prehistory textbooks, showing for the first time that the so-called 'land of birds' was once home to mammals as well. The tiny fossilized bones -- part of a jaw and hip -- belonged to a unique, mouse-sized land animal unlike any other mammal known... The fact that even one land mammal had lived there, at least 16 million years ago, has put paid to the theory that New Zealand's rich bird fauna had evolved there because they had no competition from land mammals."
Just because he can't play piano or drums, he clearly still knows what sounds good, has a sense of beat, tempo, and melody, and knows how to use editing software.
I'd wager most modern music is made just like that, and involves a lot of people who would meet this definition of "unskilled" musician.
IE was killed because it provided no revenue stream for Microsoft, and hardly any mac users use it. Once Apple started shipping their own browser with the OS, IE was Netscaped.
Wrong. Before Safari, almost all Mac users used IE, and for a significant amount of time afterward. The Mozilla/Firefox family of browsers were nowhere near as mature as they are today. Also, MacBU didn't kill Mac IE. It was killed from outside of MacBU. The only reason people shifted from IE so quickly was because Mac IE was so far behind Windows IE. When IE 6 would have shipped, it would have been the browser of choice of many. Granted, Apple has the same advantage Microsoft did by bundling a browser, but it wasn't a tactical decision to kill IE - it was a strategic one from outside MacBU.
Access, Project, and Visio aren't released because there are not ENOUGH customers demanding it. Porting those applications to the Mac would cost more than the MacBU's current total revenue.
The first part of your statement may be true, but you actually can't actually make the second part of your statement with any certainty. The point is that the response that "our customers don't want this", given to the very people telling them they want this, is not a valid answer. Further, some of these products (Project, Outlook) did previously exist on the Mac platform. They weren't killed because they were "unprofitable". They were killed because they didn't fit Microsoft's overall strategy.
VPC was completely unnecessary. Why spend a bunch of money porting an application when everyone is going to dual-boot anyway?
Better tell that to Parallels and VMWare...
Seriously, most people DON'T want to dual boot. The only reason some people will is for 1.) games, 2.) because it's the "free" solution, or 3.) extremely small numbers of other uses that require native booting and wouldn't work in a VM.
Microsoft could have made Virtual PC free on Mac (as they did on Windows), and still have it be net profitable because of the Windows licenses that would be required to be purchased for people to use Windows within it legally.
Can you even *imagine* Connectix killing Virtual PC once Apple announced the Intel transition? They'd be thanking their lucky stars and singing and dancing all the way to the bank. Microsoft, on the other hand, recognized that this would make Virtual PC an actual usable product on the Mac platform, and thus, immediately killed it.
VBA was killed from the next MacOffice as a direct result of the platform change. To port that logic, they would need to double their resources. Given the thin profit margins that exist in the MacBU, doubling their costs would result in them losing money.
Of course it was killed because of the platform change. Microsoft only had, what, half a decade to move to the primary recommended development environment for Office on Mac OS X? Also, your second statement is incorrect, because Mac Office is very profitable for MacBU, and the margins are anything but "thin".
It shouldn't take much thought to understand why these decisions are being made.
Nice anonymous troll overall. Bravo.
The decisions Microsoft has made haven't been business ones in the sense you're thinking. Sure, they're business decisions, but they've been business decisions in the context that they're shrewd moves designed to hurt the Macintosh platform while still appearing to be outwardly friendly by oh-so-graciously continuing to make Office (now utterly crippled for many corporate/enterprise customers), and specifically designed to ensure, insofar as Microsoft has the power to do so, that the Windows monopoly is maintained and that Windows is the only usable platform for the Microsoft economy that is already pervasive in so many organizations. It's not a conspiracy theory. It's just the truth. And from that perspective, Microsoft would be stupid to do anything other than exactly what they did. They can obviously get away with it, and anything that hurts pretty much the only other viable desktop platform is good for Microsoft.
First of all, this news is over fives months old, and has been widely covered and known about since then. MacBU's Erik Schwiebert has a very detailed post and followup (also mentioned in the article) about exactly why Microsoft is dropping Visual Basic in Mac Office. The bottom line is that it was a difficult decision, and anyone who reads the posts will be able to understand why the decision was made.
The people at Microsoft who work within MacBU really do care, and really do take pride in their work. But overall, Microsoft seems to be making moves - decisions not made within MacBU, or decisions forced on MacBU because of resource allocations - that are strategically designed to hurt the Macintosh platform, but not appear to be doing anything overtly.
Examples:
- Killing Mac IE the day Safari was introduced even though Mac IE 6 was well underway and had been in development for over a year and was about to hit beta.
- Never releasing Access, Project, or Visio for the Mac platform even though enterprises (particularly academic institutions) have been increasingly demanding it for years. Microsoft's response? "Our customers don't want these products."
- Killing Windows Media Player for Mac, and making it look like going with the Flip4Mac QuickTime Windows Media codec is doing Mac users a favor, when Flip4Mac will never support Windows Media DRM, which Microsoft views as key to their future Windows Media strategy, leaving Macs unsupported (whether DRM is a good or bad thing is irrelevant to this point).
- Killing Virtual PC for the Mac when the Intel transition was announced after initially committing to support it, even though Microsoft was probably in one of the best positions to quickly release a virtual machine version of Virtual PC (can you imagine Connectix killing Virtual PC after the Intel transition was announced? They'd be jumping for joy!), and then subsequently making Virtual PC free (on Windows).
- Killing Visual Basic in Mac Office, which will make it DOA in many enterprise/corporate environments whose documents depend on VB scripting.
I could go on and on. These are all expert strategic moves, not by MacBU but by Microsoft at large, designed to hurt the Macintosh platform as much as possible while still appearing to be "friendly" to the platform (by continuing to release Office).
Fortunately, with Boot Camp, Parallels Desktop, and the forthcoming VMWare Fusion, new Mac users are feeling increasingly comfortable with Mac purchases, because they know that they can run Windows if they really need to, but often find they don't need it as much as they thought they did. For many, it's a security blanket to get them over the hump, and for others it does enable them to run those Windows (or other x86 OS) applications they need or want to smoothly and efficiently. In many academic/research enterprise environments, many people can't see a reason to get anything OTHER than Mac hardware now (especially for laptops), as it can essentially run anything. And in an environment where an institutions own IT capability will "support" things like Boot Camp usage, it's not a difficult decision to make.
Microsoft's maneuvering will ultimately be futile. Windows "won" the "desktop war" long ago. But now, as with Firefox, people are realizing that there are real, viable alternatives that might actually be better than the status quo.
Apple may not have an official corporate blogging outlet like some enterprises, but some Apple employees do in fact blog in a (sometimes quasi-)official capacity.
Dave Hyatt's (now WebKit's) Surfin' Safari is one notable example of success, with Apple engineers being able to directly blog and communicate with end customers. It has now become a blog for all of WebKit, where other WebKit contributors - some within Apple and some not - can post as well.
Mac OS forge (and the hosted sites within it) is another recent example: Apple engineers, blogging, on servers owned and hosted by Apple. This wouldn't have happened a few years ago, and was a result of responses to community concerns about Apple's interaction with the open source community. (And no, it's still far from perfect, but the interaction is increasing, and that's a good thing.)
Both of these examples of Apple blogs are also open for comments, something some corporate "blogs" don't allow.
So are these "official Apple blogs" in every sense of the phrase, or in the vein that the article is intending to discuss? Maybe not, but it represents a lot more openness than Apple ever used to exhibit in this context. And anything greater than zero is "more open". Will Apple ever open up blogging to just anyone or blog about futures and abstract ideas? Unlikely. But there are notable exceptions to the blanket statement that "Apple doesn't blog".
Before anyone thinks this might be an indication that memories can be "implanted", I think this may be jumping to conclusions just a tad.
The blog post and the preprint make reference to the notion that people who experienced a "virtual" digital camera were more capable with the real thing...but also "remembered" things about it that weren't true, based on questions asked.
I fail to see how this is "inducing" false memories. Could this possibly be a function of the fact that the simulation isn't 100% accurate, and that "false" "memories" about the item (determined by the number of specific or leading questions that are incorrectly answered) would be reduced as the simulation gets more and more close to, well, reality?
Besides, I think we could do a study and prove that plenty of people have "false memories" with regard to the actual capabilities of real devices...
I don't care if the "average Mac user" thinks that Mac OS X has no bugs, is invulnerable to everything, and will dance a jig if they ask.
Effectively, for almost all desktop users in any environment, Mac OS X is much more secure, much less attacked, and much safer to use from a malware perspective, for almost all average users, period. Some of the reasons are due to marketshare, some are helped in part by marketshare, some are because of architectural decisions, and some are a mix of multiple reasons. But regardless of what someone "thinks", Mac OS X is still a manifestly safer OS for an "average user", and there is simply no disputing that.
If you want to get people to understand that even Mac OS X has bugs, great. (Duh?) If you simply want to make stupid people no longer stupid, that probably won't work. The average person doesn't care. All the average person knows, when they make the switch for example, is that their Windows box was packed with spyware and adware and then "got slow" and had multitudes of typical Windows problems that typical people have, and they don't have the same problems with their Mac.
Do Macs have problems and bugs and vulnerabilities? Yes. Will anyone win the pissing match of "which one is better" when it's not done for any reason other than to be a pissing match, like this article seems to be doing? No.
The issue is having an actual usable vector for mass-propogation, resulting in the massive downtime and recovery time, billions of dollars of lost productivity, and tens of thousands of manhours in remediation. That's not to say no one could ever find some suitable vector for propagation that can strike large numbers of Mac OS X users effectively; just that it's very unlikely for a variety of reasons, not the least of which is that these days, most Mac OS X computers aren't exposed in such a way that anything could effectively spread en masse remotely without user interaction.
Almost everything relies on some form of user interaction, and yes, these things are still bad, especially ones that take advantage of some shortcoming in the OS. What's laughable about the submission is that it makes it look like it's "bad" that Apple fixed oh-so-many vulnerabilities, and then complains that it's not fixing enough. Apple does fix issues reported to them, period. And yes, we all have stories about this or that outstanding bug or vulnerability that is still open, but Apple has markedly, hugely improved, mostly because of listening to feedback from customers, particularly enterprise customers, in the security arena. It does have a way to go, and whether or not any fix is "fast enough" will always be subjective.
No one sane ever said Mac OS X was invulnerable. It has bugs and vulnerabilities like any OS. Apple responds to them. Someone will always think they're not responding fast enough, or correctly, or what have you, but the fact remains that Mac OS X has been on the market for over 5 years, and there has yet to be any substantial issue that has been exploited on any scale. And no, it's not exclusively because of marketshare.
Why aren't we simply fighting for a permanent voter-verified paper trail, instead of always saddling every e-voting initiative with demands that EVERYTHING, hardware and software, be open source?
Don't get me wrong: I'm not saying it's not a good idea.
What I'm saying is this: since, even if recounts must be requested every time, a permanent voter-verified paper trail (and a true comprehensive system with regular audits and comparisons between paper vote counts and tabulations) solves almost everything, why are we instead trying to essentially unseat established, commercial enterprise e-voting vendors?
Wouldn't a more productive approach be to simply get a paper trail into place, since even an open source system is almost as worthless without one?
Keep in mind, too, that an open source system still needs to go through complex certification processes and code freezing just like the commercial products do. Even though the commercial products aren't "open source", the certification process allows for the necessary level of inspections by election agencies and external entities. The problem was the certification procedures being routinely ignored or bypassed for convenience, something that can just as easily happen with an "open source" solution.
The problem is that doing an electronic, anonymous, secret ballot that also exists in a system that attempts to enforce one-vote-per-person, combined with all the complexities and vagaries of local municipal and county systems is a lot harder than doing a vertically integrated system for one corporate customer (such as a bank).
Keep in mind, too, that much of the legislation (such as the Help America Vote Act) that essentially mandated e-voting in the hopes of ensuring uniform access to modern voting equipment was done in response to complaints about unfairness and inconsistency with manual systems in the 2000 elections, and not just in Florida. The one critical error was not explicitly recognizing that an electronic secret ballot is a hard thing to do, even without corruption, fraud, and incompetence, and a paper trail wasn't specifically mandated. And no, that wasn't by design. It was an error of omission.
Now, states, counties and municipalities have had to shell out hundreds of thousands, and sometimes millions, more dollars to add and retrofit certified paper trail functionality to existing systems (which, indeed, many are doing). But all e-voting vendors offer it. It just costs a lot of money.
So instead of trying to push out enterprise vendors with multi-million dollar contracts (which is essentially what demanding "all open source" would do, since no commercial vendor is going to open up ALL of their software and hardware code and designs), why not just work to get a permanent voter-verified paper trail in place in as many places as possible as soon as possible, perhaps even mandating it via legislation, since that will be required no matter what system is implemented?
What's more important: the egos of the people who have a vendetta against Diebold, Sequoia, and ES&S, or actually getting a mechanism into place as quickly as possible that guarantees votes will be accurately cast and counted (and at a minimum immediately shows if there is a problem? (And yes, I DO expect the burden of actually looking at the piece of paper to verify that it's correct to fall on the person who is voting.)
I'll make you a deal - I'll stop being interested in them when you stop feeling compelled to tell me they aren't of interest.
Witty, but how exactly is this interesting?
The point wasn't, "This isn't a virus," it's, "Why is this on the front page of slashdot?"
This isn't like someone trying to say "nothing to see here, move along" to cover up a story; rather, there really is nothing here. Sure, it's a "virus", technically, with no means of propagation that doesn't do anything particularly new or interesting in any way, nor does it exploit any shortcoming or vulnerability in the OS.
So I'll make you a deal instead: you tell me how this is REMOTELY interesting, worrisome, or newsworthy (to this degree), in any way, and I'll take it under advisement.
Your rambling about iPods, perhaps?
Rambing? It was an example of how something utterly technically unrelated is used as an excuse to push Apple into the security spotlight again, claiming that because a QA machine infected with a *Windows* virus at one of its contractors means "Apple" is being targeted more by "hackers". (???)
Your turn, please describe, specifically, why you felt compelled to post such an enormous amount of text in the first place?
For accuracy and a comprehensive analysis of the situation, while also preemptively discrediting any incorrect posts about "Bluetooth 0days" and the like?
Is being an Apple weenie that much a part of your self-identity that you find the idea of a Mac virus toxic to the very heart of your being?
No. (And there have been previous Mac "viruses", trojans, rootkits, and other things that fall in the category of "malware". My question was: why is it on the front page of slashdot when nothing is remotely new, interesting, or novel, in any respect, about it?)
Thanks for asking!
Hi Ryan. ;-)
No. Mac OS X hasn't had any cherry popped.
This isn't the "first" proof-of-concept for OS X that meets the definition of a "virus". There have been previous examples of malware that has specifically inserted code into other things on the filesystem (the hallmark of a "virus").
What I want to know is, when will we stop hearing about each and every new piece of malware for Mac OS X when they're not even novel, new, or interesting anymore?