But the original article makes it look like any Mac OS X machine out on the internet could just get "hacked", and was "easy pickings". Do you, or do you not, agree that the article should have made *some* reference, at least in passing, that people were allowed to have local accounts on the machine? I.e., a way that the vast, vast, vast majority of consumer Mac OS X machines will never be used (to say nothing that they'll probably never have any ports open, either)?
So there's a local privilege escalation vulnerability that, according to the "hacker", hasn't been reported to Apple. So if it's "unpublished", and therefore hasn't (likely) been reported to Apple, what is Apple to do about it?
The article is not fair because it doesn't tell a critical detail about the situation: that LOCAL ACCESS was allowed. If you don't think that's a *huge* omission in this context, I don't know what else to say. The majority of people who read that article will leave with the specific and distinct impression that a Mac OS X machine can be "hacked" just from being connected to the internet. That is patently untrue. I'm simply showing that.
In response to the woefully misleading ZDnet article, Mac OS X hacked under 30 minutes, I have decided to launch a Mac OS X Security Challenge.
The ZDnet article, and almost all of the coverage of it, failed to mention a very critical point: anyone who wished it was given a local account on the machine (which could be accessed via ssh). Yes, there are local privilege escalation vulnerabilities; likely some that are "unpublished". But this machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction.
Almost all consumer Mac OS X machines will:
- Not give any external entities access - Not even have any ports open
The challenge is as follows: simply alter the web page on this machine, test.doit.wisc.edu (128.104.16.150). The machine is a Mac Mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open - a lot more than most Mac OS X machines will ever have open. Email das@doit.wisc.edu if you feel you have met the reqiurements.
1. Gigabit ethernet (*usually* unheard of on a product of this size and price - yes, yes, yes, I'm sure you'll come up with examples of other computers that have GigE, but none will be that size *and* price category)
2. The Apple Remote can't be used without IR, which the old mini didn't have (nor did it have Front Row, and yes, that's just software, but still, Front Row can't be "officially" added to a computer without it without hacking it, and even then, technically "pirating" it - and you still have no way to control it via IR without adding third party products like an IR receiver)
3. The ability to play 1080-line HD (which the previous mini didn't have the horsepower to do), which is a huge step toward, oh, I don't know, using it as an HD media center
4. Optical S/PDIF audio input and output (huge addition - previous mini did not have)
5. The ability to actually do sharing with Front Row of music, photos, and video from other computers on the local network (a big functional improvement and almost a necessity for a "media center")
6. Less important: the fact that it has a dual core processor in a 6.5"x6.5"x2" form factor, the addition or 802.11a, and Intel HD Audio
So yes, it's a mini with amazing features, by most estimations. If *you* don't like it (and I'm not saying you do or don't), fine - don't get one. But that doesn't change the fact that it has an array of new features that make it dramatically more useful as a media center than it was before).
Apple said they were going to announce some "fun new products". Forget the pouch, jeez. They introduced an Intel-based Mac mini with amazing features inside of the same form factor as the old mini, and a nifty set of iPod speakers that has unseated the previous leader in this category in the opinion of most reviewers (Bose).
Apple stopped always putting all of its eggs in the Macworld/WWDC basket, and introducing products when they became available. The Intel-based Mac mini is a pretty damned good product, and a huge hint at Apple's admittedly tentative and cautious steps toward the living room.
So what's wrong with that?
What were we supposed to get?
An Apple cell phone?
An Apple tablet?
A touchsheen video iPod?
Anyone expecting those things at every single introduction is expecting too much.
Yes, I did miss the part about the VGA, Composite, S-Video, and HDMI out. I only saw the connectors on the back. If there's an adapter, then I retract my complaint about lack of such.
Yes, there are adapters for those things. But since I said it had those things in my original post that you were replying to, I figured that you either 1.) missed it, or 2.) didn't even read my post.
Not really. True, there are no BluRay or HD-DVD drives even on the market yet, but could you add one when they're released in May? I doubt it.
What does this have to do with being able to do HD out of a Mac mini without HDCP? I can do HD video right now (and will be able to with an Intel-based Mac mini), not with HDCP. And also, has it occurred to you that Apple might start selling HD content via the iTunes store, which also won't require HDCP?
I'm not saying it makes the Mac Mini worthless, just not great as a media center, even for the price.
Well, it's actually pretty perfect for people who use iPhoto to manage their photos, use iTunes to manage (or download) their music (and download videos and TV shows), and also have (an)other Mac(s) that have such items on them, since it's able to dynamically detect and connect these things over the network, in a manner than normal people can use.
In fact, this is *far* more desirable than a typical Windows or MythTV media center type system to quite a large number of people. Far more people than you realize.
80GB is tiny for PVR purposes, especially when you factor in that the same storage is used for the OS and any other software you want to install.
That's pretty funny, considering most DVRs - even those intended for *HD* purposes - from commercial cable and satellite operators have 40 or 80GB drives. For example, the Motorola BMC9012 and 9022D that Charter is currently deploying as "Charter DVR" has a 40GB hard drive. It stores 42 hours of standard definition content, 14 hours of HD content, or a mix of both.
Believe it or not, this is more than enough for ordinary humans.
And, regardless, you can get up to a 120GB drive in the Mac mini. "Tiny" for a "real" media center, I know. (Not to mention there's a dual-layer DVD burner, but I digress.)
PVR, in my opinion, is part of what makes a "media center PC" a media center PC. Roughly 50% of it, in fact.
Well, 1.) that's your opinion, and 2.) no one ever said the Mac mini was a PVR. Also, in case you'd missed it, Apple's model for accessing content from TV is not recording it, but downloading it. Sure, not *everything* is there, but imagine a TV download store with the breadth of the iTunes Music Store, where essentially everything is available for download, all without commercials. If you're a a retard with no life who needs to watch dozens of TV shows a week, or hoard TV shows just for the sake of doing it on terabyte disks in your leet MythTV tower system, downloading TV from iTunes - or the Mac mini, for that matter - probably isn't for you. But if you're a normal person, in an environment where the iTunes offerings are greatly expanded, you might be able to see a day where downloading the shows you want from iTunes on demand is actually cheaper - and a better experience - than paying for your cable or satellite operator and recording them. In fact, you might only keep your broadband connection and choose to use the iTunes/iPod/Mac/etc. paradigm to obtain and manage your media.
Sure, go ahead and laugh, but that's *exactly* what Apple has positioned themselves for, and *exactly* what will make them just as successful in that arena as the music store that just got done selling 1 billion songs.
Why deal with the nightmare hassles of tuning various cable and satellite providers in different markets, multiple tuners, and all of this crap when you can sell content directly from the content originators to the end customer, on-demand, and with (currently, anyway) no commercials?
Did you miss the part where you can actually do VGA, Composite, S-Video, and HDMI out? (And this isn't a DVR...so it doesn't need video in. If you need video (or TV) in, either get a third party product to go along with your Mac mini. This isn't for recording TV or external sources. Your external "source" is the iTunes store. That's Apple's strategy.)
And yes, you can most certainly do HD video without HDCP. (???)
And only a "couple of shows" on an *80 GB* drive (you can get up to 120, and keep the price of the whole unit in mind, please, and if you think you can build a better PC, no one's forcing you to buy a Mac mini)? LOL!
And as for your button complains, apparently you've never used, or even seen, Front Row.
If it's anything like the previous Mac mini, and anything like Apple's general design philosophy for such devices, it will probably be whisper quiet and almost inaudible save for the hard disk.
Yeah, I figured you jumped on the submission. It was just the way it was worded that made me smile...like a leather iPod case is bigger news than Intel-based Mac mini media centers.;-)
Just giving you a hard time. And I got one of the minis too.
How about the new Mac mini, which has a 1.5GHz Intel Core Solo or 1.66GHz Core Duo, 512MB RAM (expandable to 2GB), a combo drive or DVD±R/RW SuperDrive, up to 120 GB drive, DVI/VGA/composite/S-Video out on Intel GMA950 graphics (up to 1920x1200), 802.11a/b/g, Bluetooth 2.0+EDR, gigabit ethernet (!), four USB 2.0 ports, FireWire 400 (Yes, FireWire is here to stay, folks), analog and digital (S/PDIF) in/out, and an IR remote with Front Row media center software that supports sharing music, photos, and videos between libraries on any other machine on the local network, starting at $599 ($579 govt/education), all in the same tiny form factor as the old Mac mini (6.5"x6.5"x2")?
And a freaking set of speakers and a $99 leather case for the iPod are the "most interesting"?;-)
I love how the submission is like "IPOD SPEAKERS", "LEATHER IPOD CASE", and then at the end, "oh yeah, and media center Intel-based Mac minis, too".;-)
What I want to know is what Apple's going to do with its new 107,000 square footTier IV data center... iTunes Movie/Media Store, anyone?
Plays for Sure is a standard, if only in that most (all?) subscription music services use it. That includes Napster, Rhapsody, Yahoo, Walmart, and certainly Urge, the new service from Microsoft and MTV. Apple's DRM cannot be a standard because it is only used by Apple itself.
If it weren't for the fact that all of the other services combined are dwarfed by Apple's share of this market, which is over 80%, your argument might hold some water. To say nothing of the fact that the most popular digital music player, also with over 80% of its own marketplace, doesn't work with any of those other services. If you want to whine about Apple, go for it, but Windows Media's DRM - aside from being licensable for the purpose of direct and significant benefit to Microsoft, not because of any altruistic reasons - is just as closed as Apple's.
Also, AAC is most definitely not a pretender. It's an internationally recognized standard, and has been since its creation. Now if you're talking about what was used most for online music outside of online music stores, sure, of course it was MP3. But that doesn't make AAC any less of the open international standard that it is. Not to mention that AAC is higher quality than MP3 at the same datarates. And this argument is off-point because no (major) online music stores use MP3; they all use either protected AAC or protected Windows Media. And AAC is by far the most used among all online music stores.
So any way you slice it, AAC is the most open (by virtue of it being an international MPEG standard), and the most used.
Actually, no, "standard" still means what it always has.
And no, it's not better than the "proprietary Apple stuff", because:
Windows Media Audio is NOT a standard by any definition. It's closed and proprietary[1]. Microsoft's DRM is also proprietary (but DRM is by its very nature, so that's somewhat irrelevant).
So while both are "closed" because of the DRM, if anything is more "standard" and non-proprietary, it's Apple's. Also, if how many people use something has any bearing on whether it's considered something of a de facto standard, Apple also wins here too, since it utterly dominates this market.
Nice try, though!
[1] Yes, Microsoft has submitted Windows Media Video 9 to SMPTE as VC-1. However, it must go through a very long process before it's standardized, and also, this was a very empty gesture meant to calm critics who said Windows Media wasn't open.
1) Your original post made it sound like a changed icon/social engineering trick. Adding a single word 'also' does not mitigate that.
The vulnerability *I* was describing, i.e., the one that worked in Mail.app with this malformed-shell-script- masqerading-as-something-else, is a changed icon/social engineering trick. Albeit one that, in the example of Mail.app, one that a lot of people could possibly fall for, since Mail identifies it as a "JPEG Image", it has the correct icon, etc.; but by the time the user clicks it, it's too late. Which was exactly why I was bringing it up.
2) You repeat that this is what you do for a living (post on slahdot?). Congratulations. Being a computer professional does not make you special on slashdot.
1. I didn't say it made me special,
2. I didn't say it made me special "on slashdot".
3) Your closing argument (paraphrased): when the vulnerability is fixed, it will come down to social engineering. Ummmmmm OK - thats true I guess (shrugs). My point was Ubuntu (and all other linux distros I'm aware of) do not do the script auto-execution (of malformed, or otherwise) of which you speak. Prior to hearing of this, I thought neither did OS X
"Ummmmmm", but that's exactly what I said. I said once the (Safari auto-download-and-execute) vulnerability is fixed, it will come down to social engineering.
Also (now speaking of the Safari vulnerability), this isn't some kind of deep-rooted flaw in Mac OS X. This is specific to precisely two things:
Safari passing things it interprets to be "safe" compressed files for handling after download, and LaunchServices subsequent execution. They ARE set as executable. This isn't some non-executable script getting executed erroneously. It IS executable. It just doesn't get seen by Safari as executable because it's missing the shebang. This is clearly a mistake.
Now, I will agree that this functionality should probably be eliminated (the whole "safe files" business). But, Apple will probably try to hold onto the safe files functionality for various reasons, and therefore, all it needs to do is properly recognize this as executable. They were obviously making some assumptions before that can't be made with regard to when/how something may be executable. But make no mistake: this IS an executable file. Also, it's not that the "OS" has "auto script execution". It's a Safari problem. This was an unintentional oversight that should have been fixed when the rest of the safe files stuff was "fixed" a year ago. Yes, Safari is seen by many as part of the OS, but Safari is just an application. A Linux application trusted by the user and the system could just as easily have a similar type shortcoming (NO, not identical - I said "similar"). This is NOT the intended behavior of Safari. Which is why it will be fixed.
Whether or not Apple should do away with the idea of thinking there "are safe files" altogether (which I agree with) is a matter of a different discussion.
Um, not you're not - or you wouldn't have written in your original post: This is rooted in something that has been true about Mac OS in general for over 22 years, which is that any file or document - including executables - can have any icon. This vulnerability has nothing to do with icons.
The extended part of the vulnerability that I was talking about in my post, and was the whole point and purpose of my post, whose subject was "Also works in Mail.app", the key word being ALSO, does have everything to do with icons (and resource forks, and the fact that a Mac executable can have any name, etc.)
OK - I guess its true that you're aware now you've read other posters detailing how this works.
No. This is what I do for a living. Like I said, I'm well aware of how it works, and I was providing information on ADDITIONAL exposure; the context of the subject of my post (ALSO works in Mail.app) proves that. Also, I've already posted in various forums this morning on this issue (e.g., http://listserv.cuny.edu/Scripts/wa.exe?A1=ind0602 &L=macenterprise). Further, the general Mac news web sites and Mac-focused lists had information about this long before slashdot picked it up. As I said, this is what I do for a living, but thanks for your troll nonetheless.
Not if the website's been hacked.
...
The fix should have been to disable the "Open safe files after downloading" option by default a year ago - Apple's failure to do this is fairly typical of a large software company trying to balance security & ease of use.
Yes, that I agree with. Even though I wasn't talking about this in my initial post, I think the discussion around this assumes that Apple will still try to maintain the "safe" files paradigm, though there is arguably no such thing as a "safe" file.
And as we all know, that can happen on any platform.
I am not aware of any way you can execute something under Ubuntu without explicitly setting the execute bit.
Please link to examples.
Context. I said:
Once fixed (or, in the interim, a single box unchecked) every other aspect of this just becomes tricking the user to click something. And as we all know, that can happen on any platform.
This means "as we all know, that can happen on any platform" is in direct reference to "every other aspect of this just becomes tricking the user to click something". NOT in reference to the auto-execution of malformed shell scripts because of Safari and LaunchServices' bogus handling, to which the "Once fixed (or, in the interim, a single box unchecked)" part of the statement refers.
Nice attempt to try to paint me as ignorant, but since everything I said is perfectly valid, and since my initial post was clearly describing an ADDITIONAL exposure via this method, I'm sure everyone will be able to see that.
However, I doubt you'll admit you were wrong and that you totally misread my post.
I'm speaking of the Mail.app and associated social engineering aspects of this vulnerability, not the Safari auto-execution, which I thought was clear from my message. I'm fully aware of how the Safari portion of the vulnerability works. I'm providing an *additional* way this can work.
Oh, yeah, Mail.app just doesn't display it and run it on its own...you must still manually click on or otherwise execute it. But, since it appears to legitimately be a simple jpeg image, many users would just click it, at which point Terminal launches and the script is executed.
Since we've gone through the whole "download safe files" business a year ago, and Apple provided a prompt fix, and, additionally, since this is just Safari's executable-recognition code missing this because the shell script is malformed (i.e., missing the shebang), I expect a fix soon.
I was speaking to the social engineering aspect of this, since the automated aspect of this is so easy to mitigate, has already been addressed in one form a year ago, and I'm assuming will be quickly patched, leaving only the social engineering aspect to deal with. Which, once again, is no more or less serious than any social engineering exploit on any other platform.
Also, in case you hadn't noticed, getting a user to visit a web site is still a social engineering principle. Whether it's double clicking a file or tricking a user to view a web site, it's still "social engineering". What makes this unique is that Safari, in its default state, could potentially download a file and execute a shell script without user interaction. That's a Bad Thing. But since we've already dealt with this a year ago and missing malformed shell scripts was apparently an oversight, I expect this to be fixed soon.
Once fixed (or, in the interim, a single box unchecked) every other aspect of this just becomes tricking the user to click something.
And as we all know, that can happen on any platform.
In other words, this isn't a flaw that is endemic or inherent to any fundamental functionality; by all rights this whole issue was intended to be "fixed" a year ago, but it appears Apple missed malformed shell scripts marked as executable. Oops. So, that will be fixed, and everything else left is social engineering.
This isn't the first time a "view a webpage and something will download that can run without user interaction" exploit has happened on Mac OS X. But I'm sure the press will make a HUGE deal of this one, even though the previous two "viruses" discovered this week are *pure* social engineering, utterly useless, and the vulnerability that one used had even been patched since June 2005 and only affected Mac OS X 10.4.0.
I fully expect this to be the beginning of attacks on Mac OS X as "just as insecure as Windows" in earnest in the mainstream press, and also for people to completely misunderstand and believe it's related to the x86 transition. Yay.:-(
And looks like my response went over your head: it's not really funny since various Linux distributions, and indeed any OS, have had their share of all manner of vulnerabilities, so offering Ubuntu as a "fix", even as a "joke", isn't really funny or clever.
And yes, I'm completely aware of how the vulnerability works, thanks. You'll note I'm actually offering mechanisms via which the vulnerability works beyond the scope of even the original vulnerability. In other words, it's even more serious than the vulnerability implies.
Since we've gone through the whole "download safe files" business a year ago, and Apple provided a prompt fix, and, additionally, since this is just Safari's executable-recognition code missing this because the shell script is malformed (i.e., missing the shebang), I expect a fix soon.
I was speaking to the social engineering aspect of this, since the automated aspect of this is so easy to mitigate, has already been addressed in one form a year ago, and I'm assuming will be quickly patched, leaving only the social engineering aspect to deal with. Which, once again, is no more or less serious than any social engineering exploit on any other platform.
Also, in case you hadn't noticed, getting a user to visit a web site is still a social engineering principle. Whether it's double clicking a file or tricking a user to view a web site, it's still "social engineering". What makes this unique is that Safari, in its default state, could potentially download a file and execute a shell script without user interaction. That's a Bad Thing. But since we've already dealt with this a year ago and missing malformed shell scripts was apparently an oversight, I expect this to be fixed soon.
Once fixed (or, in the interim, a single box unchecked) every other aspect of this just becomes tricking the user to click something.
And as we all know, that can happen on any platform.
Ubuntu can't run shell scripts and can run ordinary productivity software in a commercially supported OS environment from a major vendor?
Sign me up!
And seriously, this isn't any bigger than any number of social engineering security vulnerabilities that take advantage of some flaw or shortcoming in any other OS...
You can send this same shell script masquerading as a JPG file and shown as such by Mail.app, and it gets executed as soon as it is clicked/viewed in Mail.app (obviously not affected by Safari's "safe files" setting).
You can test this by downloading this harmless exmaple:
...and sending the resulting JPG to yourself in Mail.app.
This is rooted in something that has been true about Mac OS in general for over 22 years, which is that any file or document - including executables - can have any icon. Other elements of the OS (such as the Get Info window) properly identify it as a Terminal document (shell script), and show that it is opened with Terminal, but most users won't see or understand this.
I'd expect a security update that addresses this *very* soon. This is a bad one.
Like almost everything Apple POPULARIZED, it came from somewhere else. The GUI. The mouse. The laser printer. 802.11. USB. Apple didn't "invent" any of these things. It POPULARIZED them. Made them more popular than they would have been had it not been for Apple. Made people take notice. Made them useful. Sped their adoption. However you want to describe it.
And Apple popularized these things, made them mainstream. Made people recognize a technology, made it pretty, made it usable, and made people start using it on a wide scale.
Since it's pretty obvious to most people that that's exactly what happened, and is generally accepted in the industry, I guess there's nothing more to say.
...to smoke a huge crack pipe and write about Apple?
(And while Cringely's stuff is interesting, his last fantasy column with a similar theory about an outfit called DVDstation which would purportedly let you download full-length movies to your iPod and take them home was missing several critical implementation details about how such a service could even work, with respect to DRM, playback, and so on...he totally overlooked all this, confident that this was true. Of course, DVDstation never had such a product and just wanted to ride the coattails of the video iPod introduction...but does he ever have to correct himself?)
1. Business purchasers are consumers. Deal with it. IBM has millions of TPM systems deployed with software that actually makes use of the TPM module. Using your definition, educational institutions and the publishing industry are also not "mainstream consumers." Frankly, you're also ignoring the large numbers of individuals that buy IBM laptops because they're high quality and nigh indestructible.
That's not what the "consumer market" means. "Consumer market" doesn't mean all people who are "consumers" in general. The mainstream consumer marketplace is home and individual buyers, period. It is not institutional purchasers. It is not educational institutions. It is not business. It is not enterprise. It is not professional markets. That's what people mean when they say "consumer marketplace". And it's hard to take new technologies into the consumer marketplace because it's so diverse. It's much easier to introduce them in rigidly controlled and centrally funded and managed enterprise IT environments.
2. The number of Windows based systems with installed TPM modules dwarfs anything that Apple has shipped in the last few months, even if you exclude IBM. Dell sells them. Fujitsu sells them (E8000, S7000, P1500, ST50XX. B6000, T4000). (Here's a whole list of manufacturers that have shipped TPM modules in Windows based machines.
No. This is the managed business marketplace. Places with centralized purchasing and requirements. Again, see above.
3. Really, knock off the drugs. Intel invented USB. Intel pushed USB. Intel rammed USB down every whitebox manufacturer's throat well before Apple introduced its USB keyboards and mouse with those candy colored iMacs in January 2002. I have Microsoft USB keyboards that are older than that. Roundup of USB optical mice from August 2000.
Wow, guess you must have missed a few years, there. Apple most certainly didn't first ship USB in 2002. It was May 1998. Four years earlier than you allege. Four *years*. Therefore, your link from 2000 is meaningless. In fact, *all* Apple computers have had USB keyboards and mice exclusively since January 1999. And one of many anecdotal examples:
Did You Know... USB was introduced in 1997 but the technology didn't catch on until the introduction of the Apple iMac in 1998 --ironic because USB was developed by several PC-focused companies, including Compaq, DEC, IBM, Intel and Microsoft.
The *reason* this happened is because Apple was the first company - and still, in 2006, one of few - to be willing to completely ditch legacy technologies to move the industry forward.
Now that I've addressed the specific points therein, I'd appreciate external references to things that give sales numbers, introduction dates, and other points that prove that Apple got either of those technologies on the market before Windows PC suppliers. Otherwise, have a nice day, and seek counseling.
Well, your first two points are addressed because of your continuing misunderstanding of what the consumer market it. This isn't just what I call it; that's what the industry calls it.
And you were off by only 4 years on USB.
As to 802.11, for example, Apple delivered AirPort in mid-1999. NO end-user consumer machines had 802.11, and it was something that you had to get a minimum $300 PC Card and a $1000 (Lucent RG-1000) access point to use. I.e., totally out of the reach of home/individual users, not to mention was not easy to set up and would have been horrid on PCs (and still was, until really XP SP1, several years later). Yet Apple's access point was easy to set up and use for an end user, and was under $300. The wireless card for the client was under $100. Dell didn't even ship integrated wireless for a full *two years* after Apple announced it.
Well, this doesn't have anything to do with what we're talking about, and is actually, if anything, the reverse of the situation we're talking about (which is that you could be barred from Olympic competion if you're a professional athlete). Jeremy Bloom wasn't barred from Olympic competition for being a professional athlete, and indeed wasn't barred from Olympic competition at all. In fact, he's not a professional athlete at all by IOC rules. The only thing that barred him was the NCAA because he was accepting endorsements.
In other words, what you said has nothing to do with this, and I'm not sure why you posted it.
...unless spam or spyware is illegal in Australia, or against terms set by the International Olympic Committee (which probably includes stipulations for non-voliation of the laws of competitors' native countries), then no, he shouldn't be barred from competition.
Also, on the subject of "amateurs", you can't be a "professional" in the sport you're competing in. There's nothing to say that someone can't be rich, or be a "professional" in some other field. He shouldn't be barred for "richly supporting himself" either, until installing spyware becomes an Olympic sport.
Slashdot Mirror
Yes. And I explain that on the site.
But the original article makes it look like any Mac OS X machine out on the internet could just get "hacked", and was "easy pickings". Do you, or do you not, agree that the article should have made *some* reference, at least in passing, that people were allowed to have local accounts on the machine? I.e., a way that the vast, vast, vast majority of consumer Mac OS X machines will never be used (to say nothing that they'll probably never have any ports open, either)?
So there's a local privilege escalation vulnerability that, according to the "hacker", hasn't been reported to Apple. So if it's "unpublished", and therefore hasn't (likely) been reported to Apple, what is Apple to do about it?
The article is not fair because it doesn't tell a critical detail about the situation: that LOCAL ACCESS was allowed. If you don't think that's a *huge* omission in this context, I don't know what else to say. The majority of people who read that article will leave with the specific and distinct impression that a Mac OS X machine can be "hacked" just from being connected to the internet. That is patently untrue. I'm simply showing that.
Mac OS X Security Challenge
In response to the woefully misleading ZDnet article, Mac OS X hacked under 30 minutes, I have decided to launch a Mac OS X Security Challenge.
The ZDnet article, and almost all of the coverage of it, failed to mention a very critical point: anyone who wished it was given a local account on the machine (which could be accessed via ssh). Yes, there are local privilege escalation vulnerabilities; likely some that are "unpublished". But this machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction.
Almost all consumer Mac OS X machines will:
- Not give any external entities access
- Not even have any ports open
The challenge is as follows: simply alter the web page on this machine, test.doit.wisc.edu (128.104.16.150). The machine is a Mac Mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open - a lot more than most Mac OS X machines will ever have open. Email das@doit.wisc.edu if you feel you have met the reqiurements.
1. Gigabit ethernet (*usually* unheard of on a product of this size and price - yes, yes, yes, I'm sure you'll come up with examples of other computers that have GigE, but none will be that size *and* price category)
2. The Apple Remote can't be used without IR, which the old mini didn't have (nor did it have Front Row, and yes, that's just software, but still, Front Row can't be "officially" added to a computer without it without hacking it, and even then, technically "pirating" it - and you still have no way to control it via IR without adding third party products like an IR receiver)
3. The ability to play 1080-line HD (which the previous mini didn't have the horsepower to do), which is a huge step toward, oh, I don't know, using it as an HD media center
4. Optical S/PDIF audio input and output (huge addition - previous mini did not have)
5. The ability to actually do sharing with Front Row of music, photos, and video from other computers on the local network (a big functional improvement and almost a necessity for a "media center")
6. Less important: the fact that it has a dual core processor in a 6.5"x6.5"x2" form factor, the addition or 802.11a, and Intel HD Audio
So yes, it's a mini with amazing features, by most estimations. If *you* don't like it (and I'm not saying you do or don't), fine - don't get one. But that doesn't change the fact that it has an array of new features that make it dramatically more useful as a media center than it was before).
What were they expecting?
Apple said they were going to announce some "fun new products". Forget the pouch, jeez. They introduced an Intel-based Mac mini with amazing features inside of the same form factor as the old mini, and a nifty set of iPod speakers that has unseated the previous leader in this category in the opinion of most reviewers (Bose).
Apple stopped always putting all of its eggs in the Macworld/WWDC basket, and introducing products when they became available. The Intel-based Mac mini is a pretty damned good product, and a huge hint at Apple's admittedly tentative and cautious steps toward the living room.
So what's wrong with that?
What were we supposed to get?
An Apple cell phone?
An Apple tablet?
A touchsheen video iPod?
Anyone expecting those things at every single introduction is expecting too much.
Yes, I did miss the part about the VGA, Composite, S-Video, and HDMI out. I only saw the connectors on the back. If there's an adapter, then I retract my complaint about lack of such.
Yes, there are adapters for those things. But since I said it had those things in my original post that you were replying to, I figured that you either 1.) missed it, or 2.) didn't even read my post.
Not really. True, there are no BluRay or HD-DVD drives even on the market yet, but could you add one when they're released in May? I doubt it.
What does this have to do with being able to do HD out of a Mac mini without HDCP? I can do HD video right now (and will be able to with an Intel-based Mac mini), not with HDCP. And also, has it occurred to you that Apple might start selling HD content via the iTunes store, which also won't require HDCP?
I'm not saying it makes the Mac Mini worthless, just not great as a media center, even for the price.
Well, it's actually pretty perfect for people who use iPhoto to manage their photos, use iTunes to manage (or download) their music (and download videos and TV shows), and also have (an)other Mac(s) that have such items on them, since it's able to dynamically detect and connect these things over the network, in a manner than normal people can use.
In fact, this is *far* more desirable than a typical Windows or MythTV media center type system to quite a large number of people. Far more people than you realize.
80GB is tiny for PVR purposes, especially when you factor in that the same storage is used for the OS and any other software you want to install.
That's pretty funny, considering most DVRs - even those intended for *HD* purposes - from commercial cable and satellite operators have 40 or 80GB drives. For example, the Motorola BMC9012 and 9022D that Charter is currently deploying as "Charter DVR" has a 40GB hard drive. It stores 42 hours of standard definition content, 14 hours of HD content, or a mix of both.
Believe it or not, this is more than enough for ordinary humans.
And, regardless, you can get up to a 120GB drive in the Mac mini. "Tiny" for a "real" media center, I know. (Not to mention there's a dual-layer DVD burner, but I digress.)
PVR, in my opinion, is part of what makes a "media center PC" a media center PC. Roughly 50% of it, in fact.
Well, 1.) that's your opinion, and 2.) no one ever said the Mac mini was a PVR. Also, in case you'd missed it, Apple's model for accessing content from TV is not recording it, but downloading it. Sure, not *everything* is there, but imagine a TV download store with the breadth of the iTunes Music Store, where essentially everything is available for download, all without commercials. If you're a a retard with no life who needs to watch dozens of TV shows a week, or hoard TV shows just for the sake of doing it on terabyte disks in your leet MythTV tower system, downloading TV from iTunes - or the Mac mini, for that matter - probably isn't for you. But if you're a normal person, in an environment where the iTunes offerings are greatly expanded, you might be able to see a day where downloading the shows you want from iTunes on demand is actually cheaper - and a better experience - than paying for your cable or satellite operator and recording them. In fact, you might only keep your broadband connection and choose to use the iTunes/iPod/Mac/etc. paradigm to obtain and manage your media.
Sure, go ahead and laugh, but that's *exactly* what Apple has positioned themselves for, and *exactly* what will make them just as successful in that arena as the music store that just got done selling 1 billion songs.
Why deal with the nightmare hassles of tuning various cable and satellite providers in different markets, multiple tuners, and all of this crap when you can sell content directly from the content originators to the end customer, on-demand, and with (currently, anyway) no commercials?
So I can only voice my opinion when som
Did you miss the part where you can actually do VGA, Composite, S-Video, and HDMI out? (And this isn't a DVR...so it doesn't need video in. If you need video (or TV) in, either get a third party product to go along with your Mac mini. This isn't for recording TV or external sources. Your external "source" is the iTunes store. That's Apple's strategy.)
And yes, you can most certainly do HD video without HDCP. (???)
And only a "couple of shows" on an *80 GB* drive (you can get up to 120, and keep the price of the whole unit in mind, please, and if you think you can build a better PC, no one's forcing you to buy a Mac mini)? LOL!
And as for your button complains, apparently you've never used, or even seen, Front Row.
Next troll?
If it's anything like the previous Mac mini, and anything like Apple's general design philosophy for such devices, it will probably be whisper quiet and almost inaudible save for the hard disk.
Yeah, I figured you jumped on the submission. It was just the way it was worded that made me smile...like a leather iPod case is bigger news than Intel-based Mac mini media centers. ;-)
Just giving you a hard time. And I got one of the minis too.
How about the new Mac mini, which has a 1.5GHz Intel Core Solo or 1.66GHz Core Duo, 512MB RAM (expandable to 2GB), a combo drive or DVD±R/RW SuperDrive, up to 120 GB drive, DVI/VGA/composite/S-Video out on Intel GMA950 graphics (up to 1920x1200), 802.11a/b/g, Bluetooth 2.0+EDR, gigabit ethernet (!), four USB 2.0 ports, FireWire 400 (Yes, FireWire is here to stay, folks), analog and digital (S/PDIF) in/out, and an IR remote with Front Row media center software that supports sharing music, photos, and videos between libraries on any other machine on the local network, starting at $599 ($579 govt/education), all in the same tiny form factor as the old Mac mini (6.5"x6.5"x2")?
;-)
;-)
And a freaking set of speakers and a $99 leather case for the iPod are the "most interesting"?
I love how the submission is like "IPOD SPEAKERS", "LEATHER IPOD CASE", and then at the end, "oh yeah, and media center Intel-based Mac minis, too".
What I want to know is what Apple's going to do with its new 107,000 square foot Tier IV data center... iTunes Movie/Media Store, anyone?
Plays for Sure is a standard, if only in that most (all?) subscription music services use it. That includes Napster, Rhapsody, Yahoo, Walmart, and certainly Urge, the new service from Microsoft and MTV. Apple's DRM cannot be a standard because it is only used by Apple itself.
If it weren't for the fact that all of the other services combined are dwarfed by Apple's share of this market, which is over 80%, your argument might hold some water. To say nothing of the fact that the most popular digital music player, also with over 80% of its own marketplace, doesn't work with any of those other services. If you want to whine about Apple, go for it, but Windows Media's DRM - aside from being licensable for the purpose of direct and significant benefit to Microsoft, not because of any altruistic reasons - is just as closed as Apple's.
Also, AAC is most definitely not a pretender. It's an internationally recognized standard, and has been since its creation. Now if you're talking about what was used most for online music outside of online music stores, sure, of course it was MP3. But that doesn't make AAC any less of the open international standard that it is. Not to mention that AAC is higher quality than MP3 at the same datarates. And this argument is off-point because no (major) online music stores use MP3; they all use either protected AAC or protected Windows Media. And AAC is by far the most used among all online music stores.
So any way you slice it, AAC is the most open (by virtue of it being an international MPEG standard), and the most used.
Actually, no, "standard" still means what it always has.
And no, it's not better than the "proprietary Apple stuff", because:
Windows Media Audio is NOT a standard by any definition. It's closed and proprietary[1]. Microsoft's DRM is also proprietary (but DRM is by its very nature, so that's somewhat irrelevant).
Apple uses MPEG-4 Advanced Audio Coding (AAC) (more info), an open, international standard. Again, the DRM is proprietary, but all DRM essentially is.
So while both are "closed" because of the DRM, if anything is more "standard" and non-proprietary, it's Apple's. Also, if how many people use something has any bearing on whether it's considered something of a de facto standard, Apple also wins here too, since it utterly dominates this market.
Nice try, though!
[1] Yes, Microsoft has submitted Windows Media Video 9 to SMPTE as VC-1. However, it must go through a very long process before it's standardized, and also, this was a very empty gesture meant to calm critics who said Windows Media wasn't open.
OT: We should do this again sometime - nothing like a couple of one-eyed partisan fanboys talking at cross purposes.
;-)
Deal.
1) Your original post made it sound like a changed icon/social engineering trick. Adding a single word 'also' does not mitigate that.
The vulnerability *I* was describing, i.e., the one that worked in Mail.app with this malformed-shell-script- masqerading-as-something-else, is a changed icon/social engineering trick. Albeit one that, in the example of Mail.app, one that a lot of people could possibly fall for, since Mail identifies it as a "JPEG Image", it has the correct icon, etc.; but by the time the user clicks it, it's too late. Which was exactly why I was bringing it up.
2) You repeat that this is what you do for a living (post on slahdot?). Congratulations. Being a computer professional does not make you special on slashdot.
1. I didn't say it made me special,
2. I didn't say it made me special "on slashdot".
3) Your closing argument (paraphrased): when the vulnerability is fixed, it will come down to social engineering. Ummmmmm OK - thats true I guess (shrugs). My point was Ubuntu (and all other linux distros I'm aware of) do not do the script auto-execution (of malformed, or otherwise) of which you speak. Prior to hearing of this, I thought neither did OS X
"Ummmmmm", but that's exactly what I said. I said once the (Safari auto-download-and-execute) vulnerability is fixed, it will come down to social engineering.
Also (now speaking of the Safari vulnerability), this isn't some kind of deep-rooted flaw in Mac OS X. This is specific to precisely two things:
Safari passing things it interprets to be "safe" compressed files for handling after download, and LaunchServices subsequent execution. They ARE set as executable. This isn't some non-executable script getting executed erroneously. It IS executable. It just doesn't get seen by Safari as executable because it's missing the shebang. This is clearly a mistake.
Now, I will agree that this functionality should probably be eliminated (the whole "safe files" business). But, Apple will probably try to hold onto the safe files functionality for various reasons, and therefore, all it needs to do is properly recognize this as executable. They were obviously making some assumptions before that can't be made with regard to when/how something may be executable. But make no mistake: this IS an executable file. Also, it's not that the "OS" has "auto script execution". It's a Safari problem. This was an unintentional oversight that should have been fixed when the rest of the safe files stuff was "fixed" a year ago. Yes, Safari is seen by many as part of the OS, but Safari is just an application. A Linux application trusted by the user and the system could just as easily have a similar type shortcoming (NO, not identical - I said "similar"). This is NOT the intended behavior of Safari. Which is why it will be fixed.
Whether or not Apple should do away with the idea of thinking there "are safe files" altogether (which I agree with) is a matter of a different discussion.
This is rooted in something that has been true about Mac OS in general for over 22 years, which is that any file or document - including executables - can have any icon.
This vulnerability has nothing to do with icons.
The extended part of the vulnerability that I was talking about in my post, and was the whole point and purpose of my post, whose subject was "Also works in Mail.app", the key word being ALSO, does have everything to do with icons (and resource forks, and the fact that a Mac executable can have any name, etc.)
OK - I guess its true that you're aware now you've read other posters detailing how this works.
No. This is what I do for a living. Like I said, I'm well aware of how it works, and I was providing information on ADDITIONAL exposure; the context of the subject of my post (ALSO works in Mail.app) proves that. Also, I've already posted in various forums this morning on this issue (e.g., http://listserv.cuny.edu/Scripts/wa.exe?A1=ind060
Not if the website's been hacked.
...
The fix should have been to disable the "Open safe files after downloading" option by default a year ago - Apple's failure to do this is fairly typical of a large software company trying to balance security & ease of use.
Yes, that I agree with. Even though I wasn't talking about this in my initial post, I think the discussion around this assumes that Apple will still try to maintain the "safe" files paradigm, though there is arguably no such thing as a "safe" file.
And as we all know, that can happen on any platform.
I am not aware of any way you can execute something under Ubuntu without explicitly setting the execute bit.
Please link to examples.
Context. I said:
Once fixed (or, in the interim, a single box unchecked) every other aspect of this just becomes tricking the user to click something. And as we all know, that can happen on any platform.
This means "as we all know, that can happen on any platform" is in direct reference to "every other aspect of this just becomes tricking the user to click something". NOT in reference to the auto-execution of malformed shell scripts because of Safari and LaunchServices' bogus handling, to which the "Once fixed (or, in the interim, a single box unchecked)" part of the statement refers.
Nice attempt to try to paint me as ignorant, but since everything I said is perfectly valid, and since my initial post was clearly describing an ADDITIONAL exposure via this method, I'm sure everyone will be able to see that.
However, I doubt you'll admit you were wrong and that you totally misread my post.
I'm speaking of the Mail.app and associated social engineering aspects of this vulnerability, not the Safari auto-execution, which I thought was clear from my message. I'm fully aware of how the Safari portion of the vulnerability works. I'm providing an *additional* way this can work.
Oh, yeah, Mail.app just doesn't display it and run it on its own...you must still manually click on or otherwise execute it. But, since it appears to legitimately be a simple jpeg image, many users would just click it, at which point Terminal launches and the script is executed.
From another response I just gave:
:-(
Since we've gone through the whole "download safe files" business a year ago, and Apple provided a prompt fix, and, additionally, since this is just Safari's executable-recognition code missing this because the shell script is malformed (i.e., missing the shebang), I expect a fix soon.
I was speaking to the social engineering aspect of this, since the automated aspect of this is so easy to mitigate, has already been addressed in one form a year ago, and I'm assuming will be quickly patched, leaving only the social engineering aspect to deal with. Which, once again, is no more or less serious than any social engineering exploit on any other platform.
Also, in case you hadn't noticed, getting a user to visit a web site is still a social engineering principle. Whether it's double clicking a file or tricking a user to view a web site, it's still "social engineering". What makes this unique is that Safari, in its default state, could potentially download a file and execute a shell script without user interaction. That's a Bad Thing. But since we've already dealt with this a year ago and missing malformed shell scripts was apparently an oversight, I expect this to be fixed soon.
Once fixed (or, in the interim, a single box unchecked) every other aspect of this just becomes tricking the user to click something.
And as we all know, that can happen on any platform.
In other words, this isn't a flaw that is endemic or inherent to any fundamental functionality; by all rights this whole issue was intended to be "fixed" a year ago, but it appears Apple missed malformed shell scripts marked as executable. Oops. So, that will be fixed, and everything else left is social engineering.
This isn't the first time a "view a webpage and something will download that can run without user interaction" exploit has happened on Mac OS X. But I'm sure the press will make a HUGE deal of this one, even though the previous two "viruses" discovered this week are *pure* social engineering, utterly useless, and the vulnerability that one used had even been patched since June 2005 and only affected Mac OS X 10.4.0.
I fully expect this to be the beginning of attacks on Mac OS X as "just as insecure as Windows" in earnest in the mainstream press, and also for people to completely misunderstand and believe it's related to the x86 transition. Yay.
Um, yes, I got the "joke", thanks.
And looks like my response went over your head: it's not really funny since various Linux distributions, and indeed any OS, have had their share of all manner of vulnerabilities, so offering Ubuntu as a "fix", even as a "joke", isn't really funny or clever.
And yes, I'm completely aware of how the vulnerability works, thanks. You'll note I'm actually offering mechanisms via which the vulnerability works beyond the scope of even the original vulnerability. In other words, it's even more serious than the vulnerability implies.
Since we've gone through the whole "download safe files" business a year ago, and Apple provided a prompt fix, and, additionally, since this is just Safari's executable-recognition code missing this because the shell script is malformed (i.e., missing the shebang), I expect a fix soon.
I was speaking to the social engineering aspect of this, since the automated aspect of this is so easy to mitigate, has already been addressed in one form a year ago, and I'm assuming will be quickly patched, leaving only the social engineering aspect to deal with. Which, once again, is no more or less serious than any social engineering exploit on any other platform.
Also, in case you hadn't noticed, getting a user to visit a web site is still a social engineering principle. Whether it's double clicking a file or tricking a user to view a web site, it's still "social engineering". What makes this unique is that Safari, in its default state, could potentially download a file and execute a shell script without user interaction. That's a Bad Thing. But since we've already dealt with this a year ago and missing malformed shell scripts was apparently an oversight, I expect this to be fixed soon.
Once fixed (or, in the interim, a single box unchecked) every other aspect of this just becomes tricking the user to click something.
And as we all know, that can happen on any platform.
Ubuntu can't run shell scripts and can run ordinary productivity software in a commercially supported OS environment from a major vendor?
Sign me up!
And seriously, this isn't any bigger than any number of social engineering security vulnerabilities that take advantage of some flaw or shortcoming in any other OS...
You can test this by downloading this harmless exmaple:
http://www.heise.de/security/dienste/browsercheck
...and sending the resulting JPG to yourself in Mail.app.
This is rooted in something that has been true about Mac OS in general for over 22 years, which is that any file or document - including executables - can have any icon. Other elements of the OS (such as the Get Info window) properly identify it as a Terminal document (shell script), and show that it is opened with Terminal, but most users won't see or understand this.
I'd expect a security update that addresses this *very* soon. This is a bad one.
Yes. It was from the "WinTel" world.
Like almost everything Apple POPULARIZED, it came from somewhere else. The GUI. The mouse. The laser printer. 802.11. USB. Apple didn't "invent" any of these things. It POPULARIZED them. Made them more popular than they would have been had it not been for Apple. Made people take notice. Made them useful. Sped their adoption. However you want to describe it.
And Apple popularized these things, made them mainstream. Made people recognize a technology, made it pretty, made it usable, and made people start using it on a wide scale.
Since it's pretty obvious to most people that that's exactly what happened, and is generally accepted in the industry, I guess there's nothing more to say.
...to smoke a huge crack pipe and write about Apple?
(And while Cringely's stuff is interesting, his last fantasy column with a similar theory about an outfit called DVDstation which would purportedly let you download full-length movies to your iPod and take them home was missing several critical implementation details about how such a service could even work, with respect to DRM, playback, and so on...he totally overlooked all this, confident that this was true. Of course, DVDstation never had such a product and just wanted to ride the coattails of the video iPod introduction...but does he ever have to correct himself?)
1. Business purchasers are consumers. Deal with it. IBM has millions of TPM systems deployed with software that actually makes use of the TPM module. Using your definition, educational institutions and the publishing industry are also not "mainstream consumers." Frankly, you're also ignoring the large numbers of individuals that buy IBM laptops because they're high quality and nigh indestructible.
That's not what the "consumer market" means. "Consumer market" doesn't mean all people who are "consumers" in general. The mainstream consumer marketplace is home and individual buyers, period. It is not institutional purchasers. It is not educational institutions. It is not business. It is not enterprise. It is not professional markets. That's what people mean when they say "consumer marketplace". And it's hard to take new technologies into the consumer marketplace because it's so diverse. It's much easier to introduce them in rigidly controlled and centrally funded and managed enterprise IT environments.
2. The number of Windows based systems with installed TPM modules dwarfs anything that Apple has shipped in the last few months, even if you exclude IBM. Dell sells them. Fujitsu sells them (E8000, S7000, P1500, ST50XX. B6000, T4000). (Here's a whole list of manufacturers that have shipped TPM modules in Windows based machines.
No. This is the managed business marketplace. Places with centralized purchasing and requirements. Again, see above.
3. Really, knock off the drugs. Intel invented USB. Intel pushed USB. Intel rammed USB down every whitebox manufacturer's throat well before Apple introduced its USB keyboards and mouse with those candy colored iMacs in January 2002. I have Microsoft USB keyboards that are older than that. Roundup of USB optical mice from August 2000.
Wow, guess you must have missed a few years, there. Apple most certainly didn't first ship USB in 2002. It was May 1998. Four years earlier than you allege. Four *years*. Therefore, your link from 2000 is meaningless. In fact, *all* Apple computers have had USB keyboards and mice exclusively since January 1999. And one of many anecdotal examples:
Did You Know...
USB was introduced in 1997 but the technology didn't catch on until the introduction of the Apple iMac in 1998 --ironic because USB was developed by several PC-focused companies, including Compaq, DEC, IBM, Intel and Microsoft.
The *reason* this happened is because Apple was the first company - and still, in 2006, one of few - to be willing to completely ditch legacy technologies to move the industry forward.
Now that I've addressed the specific points therein, I'd appreciate external references to things that give sales numbers, introduction dates, and other points that prove that Apple got either of those technologies on the market before Windows PC suppliers. Otherwise, have a nice day, and seek counseling.
Well, your first two points are addressed because of your continuing misunderstanding of what the consumer market it. This isn't just what I call it; that's what the industry calls it.
And you were off by only 4 years on USB.
As to 802.11, for example, Apple delivered AirPort in mid-1999. NO end-user consumer machines had 802.11, and it was something that you had to get a minimum $300 PC Card and a $1000 (Lucent RG-1000) access point to use. I.e., totally out of the reach of home/individual users, not to mention was not easy to set up and would have been horrid on PCs (and still was, until really XP SP1, several years later). Yet Apple's access point was easy to set up and use for an end user, and was under $300. The wireless card for the client was under $100. Dell didn't even ship integrated wireless for a full *two years* after Apple announced it.
Apple shippe
Well, this doesn't have anything to do with what we're talking about, and is actually, if anything, the reverse of the situation we're talking about (which is that you could be barred from Olympic competion if you're a professional athlete). Jeremy Bloom wasn't barred from Olympic competition for being a professional athlete, and indeed wasn't barred from Olympic competition at all. In fact, he's not a professional athlete at all by IOC rules. The only thing that barred him was the NCAA because he was accepting endorsements.
In other words, what you said has nothing to do with this, and I'm not sure why you posted it.
...unless spam or spyware is illegal in Australia, or against terms set by the International Olympic Committee (which probably includes stipulations for non-voliation of the laws of competitors' native countries), then no, he shouldn't be barred from competition.
Also, on the subject of "amateurs", you can't be a "professional" in the sport you're competing in. There's nothing to say that someone can't be rich, or be a "professional" in some other field. He shouldn't be barred for "richly supporting himself" either, until installing spyware becomes an Olympic sport.
Hmm. Don't give them any ideas.