Apple does manage to use XCode for OS X, yes? And certainly all the iApps. What about the pro apps like Shake, Motion, Final Cut, ProTools -- are those on XCode?
Plus, you can order it together with Thieves Highway (ordinarily $31.96) for a combined price of only $5030.96! Oh, wait, that's the same price. Well, still, they're clearly better together.
So is there any weapon system you would recommend against spending billions of dollars on? Or any reason to spend less than the maximum feasible amount of federal money on defense? 5% of GDP? 10%? more?
whoa, mod parent up! I had no idea. That's great -- i use vim anyway, it's installed on every platform I use (linux, solaris, os x), and it's OSS, hence fairly futureproof!
It's pretty stupid that Apple's policy prevents them from discussing the issue before they have a patch for Safari. They really ought to post an advisory urging users of their shiny new operating system to turn off the ``open safe files after downloading" preference in Safari. Considering that it's now established that malicious widgets can replace the Apple-supplied widgets, run with full user privileges once activated, and execute arbitrary binary code, Apple really owes it to its users to warn them.
And this business about not being able to uninstall widgets is complete garbage. To uninstall, just delete it from ~/Library/Widgets.
Yes of course that's how it's done, but strangely Apple's help documentation states: You cannot remove widgets from the Widget Bar or change their order. You can read the pertinent Help page at:
file:///Library/Documentation/Help/MacHelp.help/Co ntents/Resources/English.lproj/pgs/mh2037.html
Clearly they're not doing their computer-novice users any favors here.
And this is different than downloading a malicious program to the Desktop or Downloads folders, because I expect things to download there. It's more like downloading a malicious program and automatically copying into/Applications/, where I certainly do not expect to have things downloaded.
And as for inadvertently clicking, do see my rather over-exuberant example exploit page, which fills your Widgets Bar with widgets that look just like the Apple ones.
I agree it's not the worst exploit in the world, because it does require a small degree of user intervention. But the look-alike widgets show that it won't take a very conscious user intervention -- not even clicking `okay' to some vague warning, or double-clicking an unfamiliar file.
No, it's a conscious design choice, just an unbelievably lunatic one. What's more, it doesn't prompt for permission before running an auto-installed widget that has requested full system privileges. Check out this example exploit page for a demonstration. (Warning: downloads a bunch of widgets!)
Ah, but what if the icon itself looked just like the Address Book widget, or the Sticky Note widget? And to the user, it acted exactly the same? The user might think, "Huh, funny, there's two Address Book icons now", but would probably write it off as a glitch if it appeared to operate normally. In the meantime, your passwords are being mailed to Russia...
I think you already corrected yourself above, but for others reading this, no, it doesn't prompt the user before running an auto-installed widget, which is such a fantastically bad idea I can't believe it didn't occur to anyone what a security flaw that is.
Even if Safari is set to automatically download 'safe' files, all this does is download the.zip archive. The user still has to open up the zip, and run the widget inside - which will ask the user for permission to run. The user has to go out of their way to install the unsafe widget, which, at the end of the day, is a matter for user training.
Actually no, and that's what makes this such an incredibly bone-headed choice of a ``feature". As per the Apple Developer Documentation:
If you're using Safari, click the download link. When the widget download is complete, show Dashboard, click the Plus sign to display the Widget Bar and click the widget's icon in the Widget Bar to open it. If you're using a browser other than Safari, click the download link. When the widget download is complete, unarchive it and place it in/Library/Widgets/ in your home folder. show Dashboard, click the Plus sign to display the Widget Bar and click the widget's icon in the Widget Bar to open it.
Safari doesn't just unzip the archive and leave it in your downloads folder. It also copies the unzipped widget into ~/Library/Widgets/ and puts them in the Dashboard Bar. So the user doesn't have to do anything to have the widget appear in the Dashboard Bar. And, even if the widget is one that requests special privileges like complete read-write access to the filesystem, or the ability to run arbitrary shell commands, the user won't be prompted with an `are you sure?' before activating it.
Moreover, if you make a widget with the same icon and name as an Apple widget, the user will have no way to tell which is which! And if you auto-install an entire set of widgets that look like Apple's, but have spaces in the names so they appear earlier in the Dashboard Bar, you won't even see the duplication of widgets -- you'll just see the normal default Dashboard Bar, but with malicious widgets instead of the Apple ones!
You can try this example exploit page if you like, but be careful not to activate the faux `iTunes' widget.
Safari will warn you when downloading a widget with cocoa calls in it by saying "widgetname contains an application. Are you sure you want to continue downloading widgetname?". You have the option to abort download and installation.
Yes, but you won't get that prompt for a widget that doesn't have Cocoa code, but does contain widget.System() calls -- which effectively means it's an application. You could put an executable in your widget, not set the executable bit, but then chmod a+x and run it from widget.System() calls.
Dashboard will ask you the first time a third-party widget is run and give you the option of not running it.
It's so bizarre I didn't believe myself at first, but this is not true of widgets that are auto-installed. Try it yourself -- here is my example exploit page with an entire set of widgets that look identical to the Apple widgets. You will be prompted for permission with none of them, including the `Calculator' widget, which makes a widget.System() call and could conceivably have deleted your home directory.
It installs the widget, but does not activate it.. it just makes it available.
Yes, but it's trivial to make a widget that appears identical to, say, the Apple Stickies widget. Moreover, as this example exploit page shows, you can make an entire slate of widgets which look like the first page of Apple widgets, but appear before them (by putting spaces in front of the names). So you might inadvertently visit a web page that auto-installs widgets, then later go to the Dashboard to write a new Sticky Note, never seeing any indication that something has changed, and -- oops! -- you've been pnwed. (screenshot)
Further, widgets do run in a sandbox, and require user approval to execute if they want to do certain things (like erase your HD).
Unfortunately -- and incredibly -- this is not true of auto-installed widgets. Try the Calculator `evil widget' in the above page, for example. It requests full system access, uses it to launch the command-line `say' program to speak some text, and the user is never prompted for approval, beyond simply dragging the widget out of the Widget Bar in the first place. This is very, very, bad. Such a widget could erase your home directory, and you might never even know it had installed!
First, when a widget starts to download, Tiger prompts me and says "This download contains an application, do you want to continue?"
It only does this for widgets that contain native code (a plug-in). Widgets that don't may still do malicious things by calling the widget.System() method.
It's ``fair" because raw numbers matter. Which is the same reason the U.S. is a very important market, as opposed to say, Iceland. If you want to make a bunch of money selling services to broadband subscribers, who cares what the overall population is, if there's a bigger market in absolute terms?
Having said that, Smart Playlists on iTunes is neat but woefully underpowered and inflexible. For example I can't get a smart playlist that is "(trance OR ambient OR chillout) AND rating>=4".
Combine Smart Playlists to achieve this. First create "playlist 1" that matches ANY (Genre is trance OR ambient OR chillout). Then create a second that matches ALL (is in "playlist 1" AND rating >=4).
Requires extra playlists to build up the terms of your CNF formula, but it works.
The GUI for creating Smart Folders / Saved Searches, unfortunately, does not have the combining power (there's no "is in smart folder X" option), so you can only have disjunction or conjunctions. This is very annoying. Fortunately, you can edit the.plist of the saved search to create any query you want, including nested ORs and ANDs. I think Apple just couldn't think of a good clean GUI for nesting conjunctions & disjunctions, which admittedly is a tough problem.
Can anyone briefly explain to me why this person is widely credited as actually, you know, working at Apple? Just curious; I haven't run across anything particularly surprising or insider-y.
No, the difference is tying the search database into the file functions, so the metadata database is updated *instantly* every time you save, create, or move a file. That, and making metadata/search APIs available to developers, so they can seamlessly export metadata or access live search results.
Slashdot Mirror
Apple does manage to use XCode for OS X, yes? And certainly all the iApps. What about the pro apps like Shake, Motion, Final Cut, ProTools -- are those on XCode?
Where did you get your sense of humor from?
Whoa weird, you're right. Grandparent post, if not a troll, is remarkably bad.
Admit it Steve, you are the "Preacher." You crazy Canuck. Nice show.
Sorry, the uninformed hysterical fringe is too busy working in their dozens of mainstream laboratories.
Plus, you can order it together with Thieves Highway (ordinarily $31.96) for a combined price of only $5030.96! Oh, wait, that's the same price. Well, still, they're clearly better together.
So is there any weapon system you would recommend against spending billions of dollars on? Or any reason to spend less than the maximum feasible amount of federal money on defense? 5% of GDP? 10%? more?
Whoever didn't recognize grandparent post as a joke is a moron. :)
whoa, mod parent up! I had no idea. That's great -- i use vim anyway, it's installed on every platform I use (linux, solaris, os x), and it's OSS, hence fairly futureproof!
It's pretty stupid that Apple's policy prevents them from discussing the issue before they have a patch for Safari. They really ought to post an advisory urging users of their shiny new operating system to turn off the ``open safe files after downloading" preference in Safari. Considering that it's now established that malicious widgets can replace the Apple-supplied widgets, run with full user privileges once activated, and execute arbitrary binary code, Apple really owes it to its users to warn them.
Yes of course that's how it's done, but strangely Apple's help documentation states: You cannot remove widgets from the Widget Bar or change their order. You can read the pertinent Help page at:o ntents/Resources/English.lproj/pgs/mh2037.html
file:///Library/Documentation/Help/MacHelp.help/C
Clearly they're not doing their computer-novice users any favors here.
And this is different than downloading a malicious program to the Desktop or Downloads folders, because I expect things to download there. It's more like downloading a malicious program and automatically copying into /Applications/, where I certainly do not expect to have things downloaded.
And as for inadvertently clicking, do see my rather over-exuberant example exploit page, which fills your Widgets Bar with widgets that look just like the Apple ones.
I agree it's not the worst exploit in the world, because it does require a small degree of user intervention. But the look-alike widgets show that it won't take a very conscious user intervention -- not even clicking `okay' to some vague warning, or double-clicking an unfamiliar file.
No, it's a conscious design choice, just an unbelievably lunatic one. What's more, it doesn't prompt for permission before running an auto-installed widget that has requested full system privileges. Check out this example exploit page for a demonstration. (Warning: downloads a bunch of widgets!)
Ah, but what if the icon itself looked just like the Address Book widget, or the Sticky Note widget? And to the user, it acted exactly the same? The user might think, "Huh, funny, there's two Address Book icons now", but would probably write it off as a glitch if it appeared to operate normally. In the meantime, your passwords are being mailed to Russia...
I think you already corrected yourself above, but for others reading this, no, it doesn't prompt the user before running an auto-installed widget, which is such a fantastically bad idea I can't believe it didn't occur to anyone what a security flaw that is.
Actually no, and that's what makes this such an incredibly bone-headed choice of a ``feature". As per the Apple Developer Documentation:
Safari doesn't just unzip the archive and leave it in your downloads folder. It also copies the unzipped widget into ~/Library/Widgets/ and puts them in the Dashboard Bar. So the user doesn't have to do anything to have the widget appear in the Dashboard Bar. And, even if the widget is one that requests special privileges like complete read-write access to the filesystem, or the ability to run arbitrary shell commands, the user won't be prompted with an `are you sure?' before activating it.
Moreover, if you make a widget with the same icon and name as an Apple widget, the user will have no way to tell which is which! And if you auto-install an entire set of widgets that look like Apple's, but have spaces in the names so they appear earlier in the Dashboard Bar, you won't even see the duplication of widgets -- you'll just see the normal default Dashboard Bar, but with malicious widgets instead of the Apple ones!
You can try this example exploit page if you like, but be careful not to activate the faux `iTunes' widget.
Yes, but you won't get that prompt for a widget that doesn't have Cocoa code, but does contain widget.System() calls -- which effectively means it's an application. You could put an executable in your widget, not set the executable bit, but then chmod a+x and run it from widget.System() calls.
It's so bizarre I didn't believe myself at first, but this is not true of widgets that are auto-installed. Try it yourself -- here is my example exploit page with an entire set of widgets that look identical to the Apple widgets. You will be prompted for permission with none of them, including the `Calculator' widget, which makes a widget.System() call and could conceivably have deleted your home directory.
Yes, but it's trivial to make a widget that appears identical to, say, the Apple Stickies widget. Moreover, as this example exploit page shows, you can make an entire slate of widgets which look like the first page of Apple widgets, but appear before them (by putting spaces in front of the names). So you might inadvertently visit a web page that auto-installs widgets, then later go to the Dashboard to write a new Sticky Note, never seeing any indication that something has changed, and -- oops! -- you've been pnwed. (screenshot)
Unfortunately -- and incredibly -- this is not true of auto-installed widgets. Try the Calculator `evil widget' in the above page, for example. It requests full system access, uses it to launch the command-line `say' program to speak some text, and the user is never prompted for approval, beyond simply dragging the widget out of the Widget Bar in the first place. This is very, very, bad. Such a widget could erase your home directory, and you might never even know it had installed!
It only does this for widgets that contain native code (a plug-in). Widgets that don't may still do malicious things by calling the widget.System() method.
It's ``fair" because raw numbers matter. Which is the same reason the U.S. is a very important market, as opposed to say, Iceland. If you want to make a bunch of money selling services to broadband subscribers, who cares what the overall population is, if there's a bigger market in absolute terms?
No no, I think it was a meta-joke... maybe. Hope so.
Combine Smart Playlists to achieve this. First create "playlist 1" that matches ANY (Genre is trance OR ambient OR chillout). Then create a second that matches ALL (is in "playlist 1" AND rating >=4).
Requires extra playlists to build up the terms of your CNF formula, but it works.
The GUI for creating Smart Folders / Saved Searches, unfortunately, does not have the combining power (there's no "is in smart folder X" option), so you can only have disjunction or conjunctions. This is very annoying. Fortunately, you can edit the .plist of the saved search to create any query you want, including nested ORs and ANDs. I think Apple just couldn't think of a good clean GUI for nesting conjunctions & disjunctions, which admittedly is a tough problem.
Can anyone briefly explain to me why this person is widely credited as actually, you know, working at Apple? Just curious; I haven't run across anything particularly surprising or insider-y.
No, the difference is tying the search database into the file functions, so the metadata database is updated *instantly* every time you save, create, or move a file. That, and making metadata/search APIs available to developers, so they can seamlessly export metadata or access live search results.
Well, you could forward to your Gmail account. And I think you can set a different Reply-To: in Gmail.
Personally, I don't mind wreckless driving at all... but maybe that's just me.