"Apple reserves the service manuals to authorized service providers. To be authorized, they have to demonstrate their competence. If Apple doesn't act against anyone publishing their confidential service manuals in whole or in part without authorization, then they lose control of the service of Macs, which results in slipshod work performed by unqualified technicians."
How many times do you ask the repair guy "Can I see your manual to verify that it's a valid copy?" If there's gonna be slipshod work, there's gonna be slipshod work regardless of who sees the manual. There are a million and ten "Fix your computer" businesses in NYC, for example. What's more appealing-having a college kid fix your Mac for 20 bucks an hour at your home, or schlepping the monster-Macs down to the Apple store/Tekserve? If you've got a laptop, I guess the answer's obvious- schlep away. But an iMac or a G5? Forget it. You practically have to hire movers.
"But how often do you allow someone into your machine? For A desktop, not often, perhaps never."
Err. Not quite. Desktops are often shared among members of the family, and even friends that are visiting. Your fourteen year old son's friend comes over, jumps on to check his email- he has access. Also, anything that can be done manually as a human can also be done programmatically, and run with the permissions of the user. So if a regular user account can sieze control of or elevate their permissions, then so can an application that runs at the level of that user. Got a clueless end-user that actually downloads and double-clicks that thing pretending to be a JPEG?
"how often do you allow someone into your machine? for a SERVER not often" would be a better statement. Most mainstream non-dedicated hosting companies do not allow SSH/telnet access to accounts.
With so many Mac applications breaking after minor _point_ updates, I can't even imagine running a major system-interwined utility after an update. I mean hell, Retrospect has an issue where you have to download the right point version to match the right point version, otherwise you're looking at data corruption. And Retrospect is a _backup utility_. I don't even know if the downloadable updates for the point-versions alert you to the issue if you run them.
Programmers (on the Mac?) don't seem to like to fail in ways that leave the user unharmed. Too much of a 'That could never happen' attitude, not enough checking and re-checking of things, and not enough fatal exceptions. (Yes, crashes are good things when the alternative is bye-bye data)
Slowing them down not only makes them more annoying, but it also ensures that your message DOES NOT get across. What is advertising? It's a carefully planned message-in-motion at approximately 15-60fps. Having someone step through it frame-by-frame to look for a coupon does *NOT* make them recepients of your message.
If they wanted to capture someone's attention they should just throw up the coupon, and freeze there for the whole 15-30 second spot. Static image. Can you imagine? People would be going nuts trying to figure out if their TV was broken.:p
Doesn't the auditor become suspicious when the web browser hasn't been used for anything?:p It's the first thing that would clue me in to network abuse. And once you know who's doing it, it's not that big a deal to monitor them personally.
Unless you're in NYC and you want to be able to get home without being detained. If you have the unhappy luck of wandering through a protest, the chance of being asked for ID is high. If you have to go into a building of any sort, the chance of your being asked for ID is high. And I've seen random moments where police officers have asked for ID from people in the subways/train stations. While I'm not sure what happens if you don't procure your ID, I do know that I prefer to have it with me. Even though I'm a distinctly non-middle eastern female who is not likely to be detained for anything.
Your ability to secure your system does not equal a secure system. It's the people who are UNABLE to secure their systems that prove day in and day out how secure a system is.
I'm no fan of Apple. In fact, I'm an anti-apple zealot. but the claim "Well MY system hasn't had a virus in YEARS, and all I had to do was install an antivirus, shut down half a dozen different ports, avoid using popular software, and quit surfing porn. Oh, and never open a single attachment that comes to me via email..."? It just doesn't hold water.
A loaded gun in the hands of someone who knows how to handle it, is pretty safe. A loaded gun in the hands of a neophyte is not. Windows, even if due to it's popularity, is a loaded gun.
I do agree with the premise of the article, though. Mac users should be pre-emptively more cautious. Being the first to be hit with a new virus is NO consolation when your data hasn't been backed up and you haven't bothered trying to secure your "fabulously safe" system despite warnings.
The fact that it has been YEARS since OS X was released and there is still no virus? It's called "Time to prepare", not "time to ignore the possibility of danger."
I think it's due to the fact that there are fewer gamer-girls/geek-girls, so men try to encourage women to join in on it. It's the online equiv. of free drinks for the ladies in a bar. They're trying to make it easy for a woman to start off/advance in the game so that she'll get hooked on it, and the gender gap will close. *shrug* Most of them back off nicely if you indicate that you're not willing, or that you're already familiar with the rules/etc. of the game.
When you see Gates talk about the various charities that he contributes to, and the various diseases/issues that he is dedicated to fighting, he is obviously well-versed and passionate in the issues, and not just throwing money at it.
Jobs, I've never seen talk about the charities that he donates to. (NOT saying that he doesn't talk about them, just that I haven't seen him talk about them.) so I can't really comment on him.
That's dumb. Job postings are usually the work of a recruiter or HR person that doesn't know what they're talking about. They may get the technologies-required list from the tech staff, but then they tuck in the years-required all on their own to spiffy it up for the job boards.
To assume "this company doesn't know jack squat" and disregard the job just because the years on the posting are wonky is stupid.Respond. You've been using the technology since it became publically available. You're qualified.
If you get the interview, and realize that the description was actually written by the person that will be your new supervisor, and he's a moron, then you can always opt not to take the job. But to just ignore it on the basis of something most likely attributable to some HR lackey's decision to add years to the job requirements? Absurd.
Interesting question. Is a company that releases an inferior product, but that has a monopoly required to force their customers to pay subscription fees for multiple software packages by third parties needed to patch the vulnurability? And if they decide to release their own software to fix the problem, are they partaking in anti-competitive practices by wiping out companies that exist solely to patch the problem?
If they charge a competitive fee for the software, is that better or worse than giving it out for free? On one hand they're screwing their customers who live with the bugs, on the other hand they're putting companies out of business.
Murder is illegal because it deprives another of the rights and property that they've worked to obtain by depriving them of their life.
Marriage is a contract between two individuals. Unless a 10 year old can enter into a legally binding contract, I don't see why a 10 year old should be permitted to enter into a marriage.
Rape of all sorts is an assault.
and the list goes on.
All "moral" legislation insofar as murder etc. has other non-moral reasons for existing. The acts that they ban damage someone's rights, deprives them of property, etc. and basically damages the capitalistic/democratic ideal that we've agreed to live by.
"Moral" legislation ala a homosexual marriage ban, a ban on pornography, the inability to abort a non-viable (ie: WILL NOT LIVE outside of womb-fetuses without brains, or other necessary organs) fetus in a way that does not endanger your life or future fertility, the laws against suicide or physician assisted suicide with appropriate documentation stating that it is our will, etc. is just an assault on our freedoms and the right to choose what works for us, as consenting adult individuals. It also forces us to abide by the rules of a religion that is not ours, and that flies in the face of our religion, with no justification for the existance of the law other than religious/morality justifications.
There's a difference between the real world and the digital. In the real world, cops base their discrimination on looks, clothing, etc. There is some validity to that, but very little especially as certain things are just plain dumb (long hair for example, or the wearing-of-turbans)
In the digital world, it's based on something else. The attempt of an attack. Where a "normal" person might just cruise around looking for FTP servers with anonymous logins or crusing the web tree looking for fun stuff. In this case, it's very easily argued that since it wasn't secured it was considered public. I mean. c'mon, anon FTP? If you really didn't want people logging in.. anonymously, wouldn't you disable that feature of your FTP server? And drop some index pages into your folders on the web server (or disable listing of directories)
On the other hand, there is genuine suspicious behavior--akin to trying to pick a lock with a credit card. The attempt to exploit specific vulnurabilities. Here the "Well gee, I thought it was public" or "Well, geee if it wasn't public why didn't you secure it?" argument falls to pieces. The "login as root" also doesn't fly as far as being a legitimate thing to be attempting. It's an obvious attempt to do something that you should not be doing.
I believe there are laws against randomly walking around and attempting to pick locks. Why not laws against attempting to exploit vulnurabilities? I mean. If your friend says "That's my house, go pick the lock and bring me a beer" and you do and it's not his house.. is that a legit defense? If your buddy says "Go r00t my box".. I mean. Hey. C'mon.
Heh. I bought a camera there once, the box arrived via UPS ripped open and empty. Not BB's fault, but they re-shipped the camera. It arrived an absurd amount of time after the original empty box, and by that time I had given up and purchased a different, cheaper, and better camera. So I returned the camera within the amount of time permitted. Unopened. And was informed by Best Buy that I would have my refund processed within 30 days.
30 days passed. No refund.
Best Buy had somehow arrived at the logic that A.) I could not be refunded for the reshipment because I was never billed for it. and B.) I could not be refunded for the original shipment because it was reshipped. This somehow made sense to multiple people there that I had paid nearly $300 for merchadise, did not have the merchadise, and did not have my money.
Another month passed with back-and-forth and at various points they'd promise the refund, but then follow up with a caveat. Caveat! Restocking fee. (it was returned unopened within the amount of time you required--and no restocking fee should be applied) Caveat! Return the original box--the one they told us we could throw out waaaay back in January. Hello. It's March now.
Finally the magic words were uttered. Fraud. Court. Criminal.
And I had my refund.
I actually feel compelled to check my credit card statement every month to see if they've reinstated the charges somehow. *snicker*
I suppose I could have always denied the charges. But I don't like doing that.
Eh. It's a quick and easy fix for someone who wants to "make their computer do something". It also tends to push the person to learn Javascript, and from there to learn PHP. It's like letting a young child play with a pen prior to them learning the alphabet. They learn the basic control over the instrument. (in the case of HTML: dealing with syntax, the importance of precision, learning mnemonic tricks for remembering things like "img src" (IMaGe SouRCe), etc.)
Yes, it's not a programming language--but look at the goals. To allow someone to branch out into a new area. It's unlikely his mom wants to become a professional programmer...
Freshdirect has a "no substitutions" policy. They don't offer substitutions, and if something is out of stock they just subtract it from your order. (This can be frustrating, especially if they're out of white corn and you would have gladly taken yellow corn instead.).
The biggest problem I've had with FreshDirect (Other than the occasional rude/annoying gangsta delivery guy, has been that their portions for vegetables vary wildly. Sometimes their "Jumbo Carrots" are slender tiny things that I'd buy 15 of if I were at the grocery store, other times they're these humungous monsters that I only need two of. You don't really know until they show up in a box at your door.
FreshDirect has a reasonable charge of under $4. Gristedes which has gone into competition with them offers free delivery over a certain amount, but the quality of Gristedes in-store food has always been mediocre at best, so I'm reluctant to even try their online service.
Basically, it boils down to the service you use.:) Some like the one you used, will suck. Some, like the ones I've used, will be great.
1. Paranoia is healthy. Not the "OH MY GOD SOMEONE IS WATCHING ME LET ME DON THE TINFOIL CAP!" paranoia, just the checking-the-mirrors and looking-both-ways-before-you-cross-the-street paranoia. This translates to "Don't download stuff even if it says it's from such and such a company." and "Don't assume the computer is a safe place."
2. Home users don't have to be paranoid or capable to the point of being slashdot users. However, if you put a UZI (Unix based OS) in the hands of your average civilian, they damned well better be able to handle it when it starts kicking. The average Mac OS user is used to a slingshot. Something that doesn't have "ports", something that doesn't have a backend that can be turned on. Something that doesn't have a scary little command line that's capable of wreaking havoc. They're used to a closed system that is hard to get into, and not very rewarding to those that do get into it. OS X is a whole new ballgame, and they need to learn how to handle the results. Otherwise it'll be just as bad as your average Windows system. Perhaps worse--as Windows users have lived with undying paranoia about Viruses and evil doo-dads for longer than Windows has been around.
3. Exposing vulnurabilities in the way that vulnurabilities are exposed for Windows/Unix users is foolish. It should be done by Apple, it should be done in a way that will expose the average user to it. And it should be done in a way that is informative. "Here's how YOU can prevent attacks against your system". This should apply to Windows users, too. There are far more "average" users out there than there are skilled users, and the majority of catastrophe comes from those who know nothing about what they're doing, and don't know that they're living right smack dab in the middle of a computerized hostile environment.
Telling only the owners of the lockers might be feasible, but then you'll have everyone run out of the gym and tell their significant others "Be careful at gyms! Mine has this horrid lock policy." and thus the knowledge spreads.
Besides, those that are most likely to exploit a bug are those that already belong to the "gym". They use the OS day in day out, and thus know how to take advantage of things.
It would be nice if there was a middle ground, but there isn't. It's Security through Obscurity, or Security with disclosure.
Another reason why security-with-disclosure is a good thing is because it encourages those that find the bugs to report them and to make them known. There's a little bit of fame for those that find bugs. If there's a gag order, they'll seek their fame elsewhere. Either by not finding the bugs, or by exploiting them depending on the level of maturity of the discovering party.
Scenario A: Those who find lockers with faulty locks will be rewarded.
Scenario B: Those who find lockers with faulty locks will be punished for checking to see if the lock is faulty. Either/or they will be hushed and handed an NDA.
Which do you think is more likely to produce a good whistle-blower, and which do you think is more likely to produce a covert criminal?
Wrong analogy. Your analogy applies more to the single user advertising "I have an unpatched system!"
It's more along the lines of a Gym realizing that their locksmith put identical locks on every single locker in the locker room. They can say "Oh. Crap. There's a problem, let's tell our users so that they can decide to use an unsecure locker or not." Or they can say "Maybe no one will notice, the locksmith will be here in a couple of hours anyway."
Still not the perfect analogy, but when you have a large group of people that are operating under the assumption that something is secure, and you don't tell them so that they can take steps to modify their behavior until the security is increased... It's like knowing there's a potential terrorist attack pending, but not telling anyone about it so that they can avoid public areas.
If there's a vulnurability with something, I prefer to know so that I can avoid a particular action until there is a patch. If I don't know, I go on blissfully unaware and may not even download the patch right away as it becomes available. (Especially since Apple has unusually large patches sometimes.)
Slashdot Mirror
"Apple reserves the service manuals to authorized service providers. To be authorized, they have to demonstrate their competence. If Apple doesn't act against anyone publishing their confidential service manuals in whole or in part without authorization, then they lose control of the service of Macs, which results in slipshod work performed by unqualified technicians." How many times do you ask the repair guy "Can I see your manual to verify that it's a valid copy?" If there's gonna be slipshod work, there's gonna be slipshod work regardless of who sees the manual. There are a million and ten "Fix your computer" businesses in NYC, for example. What's more appealing-having a college kid fix your Mac for 20 bucks an hour at your home, or schlepping the monster-Macs down to the Apple store/Tekserve? If you've got a laptop, I guess the answer's obvious- schlep away. But an iMac or a G5? Forget it. You practically have to hire movers.
"But how often do you allow someone into your machine? For A desktop, not often, perhaps never." Err. Not quite. Desktops are often shared among members of the family, and even friends that are visiting. Your fourteen year old son's friend comes over, jumps on to check his email- he has access. Also, anything that can be done manually as a human can also be done programmatically, and run with the permissions of the user. So if a regular user account can sieze control of or elevate their permissions, then so can an application that runs at the level of that user. Got a clueless end-user that actually downloads and double-clicks that thing pretending to be a JPEG? "how often do you allow someone into your machine? for a SERVER not often" would be a better statement. Most mainstream non-dedicated hosting companies do not allow SSH/telnet access to accounts.
With so many Mac applications breaking after minor _point_ updates, I can't even imagine running a major system-interwined utility after an update. I mean hell, Retrospect has an issue where you have to download the right point version to match the right point version, otherwise you're looking at data corruption. And Retrospect is a _backup utility_. I don't even know if the downloadable updates for the point-versions alert you to the issue if you run them. Programmers (on the Mac?) don't seem to like to fail in ways that leave the user unharmed. Too much of a 'That could never happen' attitude, not enough checking and re-checking of things, and not enough fatal exceptions. (Yes, crashes are good things when the alternative is bye-bye data)
Unfortunately, as a result of the blaring- most people mute their TV during commercials. Interesting idea, though.
Slowing them down not only makes them more annoying, but it also ensures that your message DOES NOT get across. What is advertising? It's a carefully planned message-in-motion at approximately 15-60fps. Having someone step through it frame-by-frame to look for a coupon does *NOT* make them recepients of your message. If they wanted to capture someone's attention they should just throw up the coupon, and freeze there for the whole 15-30 second spot. Static image. Can you imagine? People would be going nuts trying to figure out if their TV was broken. :p
Hah. By posting that on Slashdot, you just ensured that your preferred job board now has more programmers than jobs.
Shouldn't it be rationale for not visiting here anymore? :p I mean. If the content sucks, go elsewhere.
Doesn't the auditor become suspicious when the web browser hasn't been used for anything? :p It's the first thing that would clue me in to network abuse. And once you know who's doing it, it's not that big a deal to monitor them personally.
That might have something to do with the "links" on your personal webpage being to porn sites? ;)
Unless you're in NYC and you want to be able to get home without being detained. If you have the unhappy luck of wandering through a protest, the chance of being asked for ID is high. If you have to go into a building of any sort, the chance of your being asked for ID is high. And I've seen random moments where police officers have asked for ID from people in the subways/train stations. While I'm not sure what happens if you don't procure your ID, I do know that I prefer to have it with me. Even though I'm a distinctly non-middle eastern female who is not likely to be detained for anything.
Meh. Why not just stick it into the innoculations that we get as kids? :p Tagged from birth.
Your ability to secure your system does not equal a secure system. It's the people who are UNABLE to secure their systems that prove day in and day out how secure a system is.
I'm no fan of Apple. In fact, I'm an anti-apple zealot. but the claim "Well MY system hasn't had a virus in YEARS, and all I had to do was install an antivirus, shut down half a dozen different ports, avoid using popular software, and quit surfing porn. Oh, and never open a single attachment that comes to me via email..."? It just doesn't hold water.
A loaded gun in the hands of someone who knows how to handle it, is pretty safe. A loaded gun in the hands of a neophyte is not. Windows, even if due to it's popularity, is a loaded gun.
I do agree with the premise of the article, though. Mac users should be pre-emptively more cautious. Being the first to be hit with a new virus is NO consolation when your data hasn't been backed up and you haven't bothered trying to secure your "fabulously safe" system despite warnings.
The fact that it has been YEARS since OS X was released and there is still no virus? It's called "Time to prepare", not "time to ignore the possibility of danger."
I think it's due to the fact that there are fewer gamer-girls/geek-girls, so men try to encourage women to join in on it. It's the online equiv. of free drinks for the ladies in a bar. They're trying to make it easy for a woman to start off/advance in the game so that she'll get hooked on it, and the gender gap will close. *shrug* Most of them back off nicely if you indicate that you're not willing, or that you're already familiar with the rules/etc. of the game.
When you see Gates talk about the various charities that he contributes to, and the various diseases/issues that he is dedicated to fighting, he is obviously well-versed and passionate in the issues, and not just throwing money at it. Jobs, I've never seen talk about the charities that he donates to. (NOT saying that he doesn't talk about them, just that I haven't seen him talk about them.) so I can't really comment on him.
That's dumb. Job postings are usually the work of a recruiter or HR person that doesn't know what they're talking about. They may get the technologies-required list from the tech staff, but then they tuck in the years-required all on their own to spiffy it up for the job boards.
To assume "this company doesn't know jack squat" and disregard the job just because the years on the posting are wonky is stupid.Respond. You've been using the technology since it became publically available. You're qualified.
If you get the interview, and realize that the description was actually written by the person that will be your new supervisor, and he's a moron, then you can always opt not to take the job. But to just ignore it on the basis of something most likely attributable to some HR lackey's decision to add years to the job requirements? Absurd.
Interesting question. Is a company that releases an inferior product, but that has a monopoly required to force their customers to pay subscription fees for multiple software packages by third parties needed to patch the vulnurability? And if they decide to release their own software to fix the problem, are they partaking in anti-competitive practices by wiping out companies that exist solely to patch the problem? If they charge a competitive fee for the software, is that better or worse than giving it out for free? On one hand they're screwing their customers who live with the bugs, on the other hand they're putting companies out of business.
With the threat of people jumping ship to another OS, MS may make back their money by just keeping their customers?
Murder is illegal because it deprives another of the rights and property that they've worked to obtain by depriving them of their life.
Marriage is a contract between two individuals. Unless a 10 year old can enter into a legally binding contract, I don't see why a 10 year old should be permitted to enter into a marriage.
Rape of all sorts is an assault.
and the list goes on.
All "moral" legislation insofar as murder etc. has other non-moral reasons for existing. The acts that they ban damage someone's rights, deprives them of property, etc. and basically damages the capitalistic/democratic ideal that we've agreed to live by.
"Moral" legislation ala a homosexual marriage ban, a ban on pornography, the inability to abort a non-viable (ie: WILL NOT LIVE outside of womb-fetuses without brains, or other necessary organs) fetus in a way that does not endanger your life or future fertility, the laws against suicide or physician assisted suicide with appropriate documentation stating that it is our will, etc. is just an assault on our freedoms and the right to choose what works for us, as consenting adult individuals. It also forces us to abide by the rules of a religion that is not ours, and that flies in the face of our religion, with no justification for the existance of the law other than religious/morality justifications.
There's a difference between the real world and the digital. In the real world, cops base their discrimination on looks, clothing, etc. There is some validity to that, but very little especially as certain things are just plain dumb (long hair for example, or the wearing-of-turbans)
In the digital world, it's based on something else. The attempt of an attack. Where a "normal" person might just cruise around looking for FTP servers with anonymous logins or crusing the web tree looking for fun stuff. In this case, it's very easily argued that since it wasn't secured it was considered public. I mean. c'mon, anon FTP? If you really didn't want people logging in.. anonymously, wouldn't you disable that feature of your FTP server? And drop some index pages into your folders on the web server (or disable listing of directories)
On the other hand, there is genuine suspicious behavior--akin to trying to pick a lock with a credit card. The attempt to exploit specific vulnurabilities. Here the "Well gee, I thought it was public" or "Well, geee if it wasn't public why didn't you secure it?" argument falls to pieces. The "login as root" also doesn't fly as far as being a legitimate thing to be attempting. It's an obvious attempt to do something that you should not be doing.
I believe there are laws against randomly walking around and attempting to pick locks. Why not laws against attempting to exploit vulnurabilities? I mean. If your friend says "That's my house, go pick the lock and bring me a beer" and you do and it's not his house.. is that a legit defense? If your buddy says "Go r00t my box".. I mean. Hey. C'mon.
Heh. I bought a camera there once, the box arrived via UPS ripped open and empty. Not BB's fault, but they re-shipped the camera. It arrived an absurd amount of time after the original empty box, and by that time I had given up and purchased a different, cheaper, and better camera. So I returned the camera within the amount of time permitted. Unopened. And was informed by Best Buy that I would have my refund processed within 30 days.
30 days passed. No refund.
Best Buy had somehow arrived at the logic that A.) I could not be refunded for the reshipment because I was never billed for it. and B.) I could not be refunded for the original shipment because it was reshipped. This somehow made sense to multiple people there that I had paid nearly $300 for merchadise, did not have the merchadise, and did not have my money.
Another month passed with back-and-forth and at various points they'd promise the refund, but then follow up with a caveat. Caveat! Restocking fee. (it was returned unopened within the amount of time you required--and no restocking fee should be applied) Caveat! Return the original box--the one they told us we could throw out waaaay back in January. Hello. It's March now.
Finally the magic words were uttered. Fraud. Court. Criminal.
And I had my refund.
I actually feel compelled to check my credit card statement every month to see if they've reinstated the charges somehow. *snicker*
I suppose I could have always denied the charges. But I don't like doing that.
Eh. It's a quick and easy fix for someone who wants to "make their computer do something". It also tends to push the person to learn Javascript, and from there to learn PHP. It's like letting a young child play with a pen prior to them learning the alphabet. They learn the basic control over the instrument. (in the case of HTML: dealing with syntax, the importance of precision, learning mnemonic tricks for remembering things like "img src" (IMaGe SouRCe), etc.)
Yes, it's not a programming language--but look at the goals. To allow someone to branch out into a new area. It's unlikely his mom wants to become a professional programmer...
-Sara
Freshdirect has a "no substitutions" policy. They don't offer substitutions, and if something is out of stock they just subtract it from your order. (This can be frustrating, especially if they're out of white corn and you would have gladly taken yellow corn instead.).
:) Some like the one you used, will suck. Some, like the ones I've used, will be great.
The biggest problem I've had with FreshDirect (Other than the occasional rude/annoying gangsta delivery guy, has been that their portions for vegetables vary wildly. Sometimes their "Jumbo Carrots" are slender tiny things that I'd buy 15 of if I were at the grocery store, other times they're these humungous monsters that I only need two of. You don't really know until they show up in a box at your door.
FreshDirect has a reasonable charge of under $4. Gristedes which has gone into competition with them offers free delivery over a certain amount, but the quality of Gristedes in-store food has always been mediocre at best, so I'm reluctant to even try their online service.
Basically, it boils down to the service you use.
-Sara
1. Paranoia is healthy. Not the "OH MY GOD SOMEONE IS WATCHING ME LET ME DON THE TINFOIL CAP!" paranoia, just the checking-the-mirrors and looking-both-ways-before-you-cross-the-street paranoia. This translates to "Don't download stuff even if it says it's from such and such a company." and "Don't assume the computer is a safe place."
2. Home users don't have to be paranoid or capable to the point of being slashdot users. However, if you put a UZI (Unix based OS) in the hands of your average civilian, they damned well better be able to handle it when it starts kicking. The average Mac OS user is used to a slingshot. Something that doesn't have "ports", something that doesn't have a backend that can be turned on. Something that doesn't have a scary little command line that's capable of wreaking havoc. They're used to a closed system that is hard to get into, and not very rewarding to those that do get into it. OS X is a whole new ballgame, and they need to learn how to handle the results. Otherwise it'll be just as bad as your average Windows system. Perhaps worse--as Windows users have lived with undying paranoia about Viruses and evil doo-dads for longer than Windows has been around.
3. Exposing vulnurabilities in the way that vulnurabilities are exposed for Windows/Unix users is foolish. It should be done by Apple, it should be done in a way that will expose the average user to it. And it should be done in a way that is informative. "Here's how YOU can prevent attacks against your system". This should apply to Windows users, too. There are far more "average" users out there than there are skilled users, and the majority of catastrophe comes from those who know nothing about what they're doing, and don't know that they're living right smack dab in the middle of a computerized hostile environment.
-Sara
Telling only the owners of the lockers might be feasible, but then you'll have everyone run out of the gym and tell their significant others "Be careful at gyms! Mine has this horrid lock policy." and thus the knowledge spreads.
Besides, those that are most likely to exploit a bug are those that already belong to the "gym". They use the OS day in day out, and thus know how to take advantage of things.
It would be nice if there was a middle ground, but there isn't. It's Security through Obscurity, or Security with disclosure.
Another reason why security-with-disclosure is a good thing is because it encourages those that find the bugs to report them and to make them known. There's a little bit of fame for those that find bugs. If there's a gag order, they'll seek their fame elsewhere. Either by not finding the bugs, or by exploiting them depending on the level of maturity of the discovering party.
Scenario A: Those who find lockers with faulty locks will be rewarded.
Scenario B: Those who find lockers with faulty locks will be punished for checking to see if the lock is faulty. Either/or they will be hushed and handed an NDA.
Which do you think is more likely to produce a good whistle-blower, and which do you think is more likely to produce a covert criminal?
-Sara
Wrong analogy. Your analogy applies more to the single user advertising "I have an unpatched system!"
It's more along the lines of a Gym realizing that their locksmith put identical locks on every single locker in the locker room. They can say "Oh. Crap. There's a problem, let's tell our users so that they can decide to use an unsecure locker or not." Or they can say "Maybe no one will notice, the locksmith will be here in a couple of hours anyway."
Still not the perfect analogy, but when you have a large group of people that are operating under the assumption that something is secure, and you don't tell them so that they can take steps to modify their behavior until the security is increased... It's like knowing there's a potential terrorist attack pending, but not telling anyone about it so that they can avoid public areas.
If there's a vulnurability with something, I prefer to know so that I can avoid a particular action until there is a patch. If I don't know, I go on blissfully unaware and may not even download the patch right away as it becomes available. (Especially since Apple has unusually large patches sometimes.)
-Sara