You mean ones with an unopenable package, since they'll never have to use it anyways?
No silly - I mean the ones that are cheap and easy to use; as everyone knows, geeks are renowned for the spread of STD's due to their promiscuoussness...
*slight* increase in speed? I saw that Firefox allegedly had a "3% increase" - Bollocks! - it's CRAP LOADS faster than the old version! If TBird has a similar speed increase I'm looking forward to it.
Besides, I frankly think that none of those deserved to be on the main page, including this last one. Basically, they're of interest if you're a Mac user, a Mac admirer, or a Mac basher, and all three of those types already read the apple.slashdot.org section.
So why post the fact that they are fixed on the front page? By your logic this information is purely of use to Mac owners, and would not be interesting to non-Mac owners, yet it gets on the front page.
No, you're wrong too. It is simple math. You have a pile of exploits. You remove one, and now you have fewer possible exploits. You are therefore less vulnerable.
Normally I'd agree with you, HOWEVER when the Help Viewer exploit was known, the infinitely more serious custom protocol handler and SSH exploits were not known, and so therefore we went from one exploit to many overnight. The real problem is the parent protocol handler exploit - fixing the Help Viewer was irrelevant and didn't fix anything apart from Help Viewer exploits, which would be insignificant when you can run code directly in the shell anyway.
As for evidence of them being informed, why it's right here.
"The problem is that Secunia is entirely wrong. The removal of runscript left users less vulnerable. The exploit was much worse than any of the others, and even if it weren't, it is different, so the users are not just as vulnerable, because that exploit is removed (for those who updated)."
No, they are not "entirely wrong" they are absolutely right. The "fix" from Apple simply removed the Help Viewer ability to launch AppleScripts remotely, but did absolutely nothing to fix the parent exploit being the fact that any disk image can be mounted with the disk:// protocol, and that any application contained within automatically gets its custom protocol handlers assigned to it - silently. It just got worse with the ssh:// remote exploit able to execute proxy commands locally. Combine this with a recently discovered but as yet undisclosed email HTML handling vulnerability and it starts to get even worse.
As for Apple being "fairly responsive" I see absolutely no evidence that they were not notified on 23rd February as the original researcher wrote.
Remember all of the recent exploits are theoretical vulnerabilities and therefore if you have tried out any of the proof of concept code and seen or heard your Mac do anything after clicking on these demonstrations, then you must be imagining things.
"Apple takes security very seriously and works quickly to address potential threats as we learn of them, in this case, before there was any actual risk to our customers,"
Philip Schiller, Apple's senior vice-president of worldwide marketing.
"Users are still as vulnerable as Apple left them last week."
Niels Henrik Rasmussen, Secunia
...a Google search turned up way too much info, and way too little of it was useful unless I want to spend the next four weeks researching this. Does the Slashdot community have any ideas, suggestions, or personal experience that they cared to relate on any of these topics?
To continue using Safari safely, just uncheck 'Open 'safe' files after downloading.' - which prevents the automagic mounting of disk images you download.
Doesn't stop images being mounted using disk:// as a protocol. i.e. disk://malware.somwhere.com/own3d.dmg
No one should be using that option.
It's on by default so game over. Not needed for this or new similar exploits to work anyway.
Its a very very good point, and is being addressed in Windows XP SP2.
The other issue of course is one of automatic updates - I think if Microsoft had enabled that by default when XP came out the sky would have been falling in about privacy, however these days I think people would appreciate it if the bulk of users on the net had their boxen updated automatically.
...which will not ask for a password so long as the password is blank. Bear in mind the default setup behaviour is an admin user with no password isnt it?
Note also that if you have a blank password, you can't CTRL+C out of sudo either!
Unless this has a built-in privilege escalation, I don't see how this is true. If it just runs as the user (which it appears to) then you could erase the users information that way, but not the disk.
Show me one Mac owner that doesn't log on using an administrator class account (default, no password, auto logon).
I have never, ever, known any Mac owner (myself included) to create a "Standard" user account for their own personal use.
This exploit could destroy a lot of work, and don't give me the "you're an idiot if you don't back up" line, as it's not the point.
Slashdot Mirror
Looks like I can add EMI to my list of labels to never buy from then. That makes Sony and EMI up to now.
Tell me again how this sort of crap is supposed to deter piracy? All they are doing is actively encouraging it.
This is why I love owning a Mac :D No viruses. No silly self-installing apps.
Yet.
You mean ones with an unopenable package, since they'll never have to use it anyways?
No silly - I mean the ones that are cheap and easy to use; as everyone knows, geeks are renowned for the spread of STD's due to their promiscuoussness...
Someone has invented a chocolate fireguard, along with a special line of condoms for geeks.
*slight* increase in speed? I saw that Firefox allegedly had a "3% increase" - Bollocks! - it's CRAP LOADS faster than the old version! If TBird has a similar speed increase I'm looking forward to it.
Fortunately there is a way to put 5 drives in a G5.
Quite how this will affect the cooling system however I'm not sure.
the liquid you want is called Flourinert. It's ~500 dollars per gallon.
Wow - can you get a car to run on it? I need to save money on fuel bills.
Yeah - SURE it is. How do you explain the dual G5 with the blue light in the background then?
Besides, I frankly think that none of those deserved to be on the main page, including this last one. Basically, they're of interest if you're a Mac user, a Mac admirer, or a Mac basher, and all three of those types already read the apple.slashdot.org section.
Um...?
So why post the fact that they are fixed on the front page? By your logic this information is purely of use to Mac owners, and would not be interesting to non-Mac owners, yet it gets on the front page.
So this gets mentioned on the front page, however the recent major security flaws did NOT get mentioned on the front page.
Now why do you suppose that is? I mean - it's almost like peope were trying to hide something.
/. prejudiced? Shurely not.
It's called a biometric.
No, you're wrong too. It is simple math. You have a pile of exploits. You remove one, and now you have fewer possible exploits. You are therefore less vulnerable.
Normally I'd agree with you, HOWEVER when the Help Viewer exploit was known, the infinitely more serious custom protocol handler and SSH exploits were not known, and so therefore we went from one exploit to many overnight. The real problem is the parent protocol handler exploit - fixing the Help Viewer was irrelevant and didn't fix anything apart from Help Viewer exploits, which would be insignificant when you can run code directly in the shell anyway.
As for evidence of them being informed, why it's right here.
"The problem is that Secunia is entirely wrong. The removal of runscript left users less vulnerable. The exploit was much worse than any of the others, and even if it weren't, it is different, so the users are not just as vulnerable, because that exploit is removed (for those who updated)."
No, they are not "entirely wrong" they are absolutely right. The "fix" from Apple simply removed the Help Viewer ability to launch AppleScripts remotely, but did absolutely nothing to fix the parent exploit being the fact that any disk image can be mounted with the disk:// protocol, and that any application contained within automatically gets its custom protocol handlers assigned to it - silently. It just got worse with the ssh:// remote exploit able to execute proxy commands locally. Combine this with a recently discovered but as yet undisclosed email HTML handling vulnerability and it starts to get even worse.
As for Apple being "fairly responsive" I see absolutely no evidence that they were not notified on 23rd February as the original researcher wrote.
Remember all of the recent exploits are theoretical vulnerabilities and therefore if you have tried out any of the proof of concept code and seen or heard your Mac do anything after clicking on these demonstrations, then you must be imagining things.
"Apple takes security very seriously and works quickly to address potential threats as we learn of them, in this case, before there was any actual risk to our customers,"
Philip Schiller, Apple's senior vice-president of worldwide marketing.
"Users are still as vulnerable as Apple left them last week."
Niels Henrik Rasmussen, Secunia
...yeah that's HER story! ;)
...a Google search turned up way too much info, and way too little of it was useful unless I want to spend the next four weeks researching this. Does the Slashdot community have any ideas, suggestions, or personal experience that they cared to relate on any of these topics?
Learn how to use Google's "-" operator?
I can imagine a lot of pen swapping goes on in hospitals between hospital staff who are actively interacting with patients. This must spread germs!
Pen condoms??!
To continue using Safari safely, just uncheck 'Open 'safe' files after downloading.' - which prevents the automagic mounting of disk images you download.
Doesn't stop images being mounted using disk:// as a protocol. i.e. disk://malware.somwhere.com/own3d.dmg
No one should be using that option.
It's on by default so game over. Not needed for this or new similar exploits to work anyway.
Looks like it's been /.'ed
Many petrol stations are paid to have mobile phone masts concealed in their signs.
Naturally I assume that the reason for insisting on turning off phones is so that people don't notice they have full strength signal...
Seriously though - can a mobile phone in close proximity to a mast cause any interference?
Its a very very good point, and is being addressed in Windows XP SP2.
The other issue of course is one of automatic updates - I think if Microsoft had enabled that by default when XP came out the sky would have been falling in about privacy, however these days I think people would appreciate it if the bulk of users on the net had their boxen updated automatically.
Try echo|sudo -S ls
...which will not ask for a password so long as the password is blank. Bear in mind the default setup behaviour is an admin user with no password isnt it?
Note also that if you have a blank password, you can't CTRL+C out of sudo either!
The default behaviour for sudo is to ask you for a password and remember that for 5 minutes. You can override it by typing
sudo -K
Which instructs it to "forget" your elevated privs.
Try sudo-K then try again and see what happens.
One concern is that by default, OSX creates an admin user with no password. So in other words... try this:
echo |sudo -S ls
Scary eh?
Unless this has a built-in privilege escalation, I don't see how this is true. If it just runs as the user (which it appears to) then you could erase the users information that way, but not the disk.
Show me one Mac owner that doesn't log on using an administrator class account (default, no password, auto logon).
I have never, ever, known any Mac owner (myself included) to create a "Standard" user account for their own personal use.
This exploit could destroy a lot of work, and don't give me the "you're an idiot if you don't back up" line, as it's not the point.