Here is what I did in my office when I was a lawyer.
All files were stored on a central file server.
Every night a shell script ran to create a set of rotating backups with cp, cpio, and rsync. Hard links were used so each backup only added data for what changed, and each backup set could be used like a snapshot of the server at the time of backup without using excessive space. (This is kind of like a poor man's version of Apple's Time Machine)
As part of the backup sctipt rsync using ssh made a second back up the file server to my home computer.
On site backup, off-site backup, and however many versions of the prior state as I wanted to tell the script to keep. Thanks to cron, I had set it and forget it ease, all I had to do is see the all clear email that the script sent me to know I was backed up.
Any lawyer wanting to do this kind of thing should be very very careful and know exactly what they are doing as it is extremely easy to mess up and send all your client's information in clear text across the internet or mess up and end up with nothing in your backup.
How exactly do you use this in the next 30 minutes to purchase something, without suspicion, whilst making blood pump through it?
Now do you really think the Quick-E-Marts of the world will take the time to train their employees to not sell things to thugish looking people carrying around severed fingers connected to blood pumping pulse making contraptions. Who is being the crazy person now?
Let me preface this: I have used Macs fro 20 year, I own stock in Apple, I am typing this on a tangerine iBook, I am one of those Apple fanboys that everyone is bandying on about.
If you ask me, this article is a little late, as my recent experience has shown that Apple is no longer a top performer in customer service.
My Exprience:
I ordered a new MacBook Pro 2 GHz from Apple's online store. When it came, it emitted a mind splitting tone whenever the screen backlight was on. I talked to an Apple Care rep, they were nice, and agreed with me that it sounded like a problem with the backlight or the inverter board that feeds power to the backlight. I sent in my machine. This is fine everything cannot leave the factory perfect every time.
Two weeks later I got my machine back. I turned it on, and the screen whine was still there and still audible from across the room. I checked the repair record, and they had replaced the mother board. No work had been done to the inverter board which is separate from the mother board, and nothing had been done to the screen back light.
I called Apple Care and was escalated to a product specialist. The specialist was insulting, and implied that the noise was not happening. Additionally at no point did they acknowledge that this was a wide spread problem. The Apple Care specialist suggested that I take the machine to an Apple Certified Repair center or an Apple store.
Having read of people's nightmares with the Apple store, I decided to use an independent Apple Certified Repair facility. The independent repair tech heard the noise too and winced. He said they would work on fixing it.
The independent repair facility called the next day and said they could not fix the problem as Apple had not acknowledged the issue. They had to send the machine back to Apple itself, where it had not been properly repaired the first time.
Now I wait for Apple to have try 2 at fixing my brand new unusable on arrival computer. I hope I do not need to send in my machine for a third time for this problem like at least one poster on Apple's support discussion forums.
To console myself I wrote them a letter demanding either a new machine of higher specification, free warranty care for the time that I own the machine, or $500 as compensation for the fact that I am effectively receiving a refurbished machine instead of a new one.
It would have all been fine if they had fixed the problem the first time, or if the problem was one that was not obvious from the moment the machine was turned on, or if they had simply acknowledged that this was an issue that several people were having and they were trying to figure out a fix.
Exactly, that is why the real problem is that metadata can be used to override the file extension. I looked at the exploit in action, and the problem is that Safari opens a terminal file that has had it's file and creator bits (or whatever they are called now) set to point to terminal, while the extension says "jpg". The solution would be always open *.jpg in preview or whatever the user chooses as the default. Regrettably, this selection is not allowed, as the always open with application selection in the finder does not work that way. Even if you set all non file/creator bit *.jpg files and all Photoshop file/creator bit *.jpg files to open in Preview, when a terminal file/creator bit *.jpg file shows up, it opens in terminal NOT Preview.
Trust in Steve, he was right when he was getting rid of file/creator bits. The file extension gives a visual cue to the user and the computer of what will be opened and where, allowing file/creator bits to override that leads to the result of users and automated processes not getting what they ask for or might expect.
Let us consider this exploit with Safari open "safe" files set to ON without file/creator bits overriding the file extension. Hapless user clicks on zip archive containing killer terminal file designed to wipe out the home directory. Safari downloads then extracts the zip, then opens the offending terminal file in, wait for it, wait for it... that is right Preview, and Preview complains. The user is confused because the thing they wanted did not appear. The user goes and double clicks on the killer.jpg file. Again Preview attempts to open it and complains that it is not really an image. The user grunts, and trashes the thing with home directory intact. No problem, no exploit. This is good.
Now consider that same hapless user with the same killer terminal file, but this time, the file/creator bits override the file extension. The user even listened to their grandchild who said "fear the web, like you fear the reaper" and turn off the open "safe" files option. The user clicks on killer.jpg.zip. Safari downloads the file. The user now goes to the zip file and double clicks. A jpg file appears. The user is savvy enough to look at the extension and thinks, "oh how charming, all those pictures from my grandchild sends me are jpg's this will be something nice." The user clicks on the jpg file, and terminal starts up, her home directory is wiped. The user becomes enraged, turns against technology, moves to an one room cabin, and becomes the next uni-bomber. This is bad.
Remember it is the metadata babe, and by babe I mean you. (Apologies to Harry Shearer for stealing the babe thing.)
Slashdot Mirror
Perhaps this was the experiment: 1. Select view source 2. Search source for "script" 3. Notice that this very page has 66 script tags.
Here is what I did in my office when I was a lawyer.
On site backup, off-site backup, and however many versions of the prior state as I wanted to tell the script to keep. Thanks to cron, I had set it and forget it ease, all I had to do is see the all clear email that the script sent me to know I was backed up.
Any lawyer wanting to do this kind of thing should be very very careful and know exactly what they are doing as it is extremely easy to mess up and send all your client's information in clear text across the internet or mess up and end up with nothing in your backup.
How exactly do you use this in the next 30 minutes to purchase something, without suspicion, whilst making blood pump through it?
Now do you really think the Quick-E-Marts of the world will take the time to train their employees to not sell things to thugish looking people carrying around severed fingers connected to blood pumping pulse making contraptions. Who is being the crazy person now?
If you ask me, this article is a little late, as my recent experience has shown that Apple is no longer a top performer in customer service.
My Exprience:
I ordered a new MacBook Pro 2 GHz from Apple's online store. When it came, it emitted a mind splitting tone whenever the screen backlight was on. I talked to an Apple Care rep, they were nice, and agreed with me that it sounded like a problem with the backlight or the inverter board that feeds power to the backlight. I sent in my machine. This is fine everything cannot leave the factory perfect every time.
Two weeks later I got my machine back. I turned it on, and the screen whine was still there and still audible from across the room. I checked the repair record, and they had replaced the mother board. No work had been done to the inverter board which is separate from the mother board, and nothing had been done to the screen back light.
I called Apple Care and was escalated to a product specialist. The specialist was insulting, and implied that the noise was not happening. Additionally at no point did they acknowledge that this was a wide spread problem. The Apple Care specialist suggested that I take the machine to an Apple Certified Repair center or an Apple store.
Having read of people's nightmares with the Apple store, I decided to use an independent Apple Certified Repair facility. The independent repair tech heard the noise too and winced. He said they would work on fixing it.
The independent repair facility called the next day and said they could not fix the problem as Apple had not acknowledged the issue. They had to send the machine back to Apple itself, where it had not been properly repaired the first time.
Now I wait for Apple to have try 2 at fixing my brand new unusable on arrival computer. I hope I do not need to send in my machine for a third time for this problem like at least one poster on Apple's support discussion forums.
To console myself I wrote them a letter demanding either a new machine of higher specification, free warranty care for the time that I own the machine, or $500 as compensation for the fact that I am effectively receiving a refurbished machine instead of a new one.
It would have all been fine if they had fixed the problem the first time, or if the problem was one that was not obvious from the moment the machine was turned on, or if they had simply acknowledged that this was an issue that several people were having and they were trying to figure out a fix.
If you ask me, the shark has been jumped.
Exactly, that is why the real problem is that metadata can be used to override the file extension. I looked at the exploit in action, and the problem is that Safari opens a terminal file that has had it's file and creator bits (or whatever they are called now) set to point to terminal, while the extension says "jpg". The solution would be always open *.jpg in preview or whatever the user chooses as the default. Regrettably, this selection is not allowed, as the always open with application selection in the finder does not work that way. Even if you set all non file/creator bit *.jpg files and all Photoshop file/creator bit *.jpg files to open in Preview, when a terminal file/creator bit *.jpg file shows up, it opens in terminal NOT Preview.
Trust in Steve, he was right when he was getting rid of file/creator bits. The file extension gives a visual cue to the user and the computer of what will be opened and where, allowing file/creator bits to override that leads to the result of users and automated processes not getting what they ask for or might expect.
Let us consider this exploit with Safari open "safe" files set to ON without file/creator bits overriding the file extension. Hapless user clicks on zip archive containing killer terminal file designed to wipe out the home directory. Safari downloads then extracts the zip, then opens the offending terminal file in, wait for it, wait for it... that is right Preview, and Preview complains. The user is confused because the thing they wanted did not appear. The user goes and double clicks on the killer.jpg file. Again Preview attempts to open it and complains that it is not really an image. The user grunts, and trashes the thing with home directory intact. No problem, no exploit. This is good.
Now consider that same hapless user with the same killer terminal file, but this time, the file/creator bits override the file extension. The user even listened to their grandchild who said "fear the web, like you fear the reaper" and turn off the open "safe" files option. The user clicks on killer.jpg.zip. Safari downloads the file. The user now goes to the zip file and double clicks. A jpg file appears. The user is savvy enough to look at the extension and thinks, "oh how charming, all those pictures from my grandchild sends me are jpg's this will be something nice." The user clicks on the jpg file, and terminal starts up, her home directory is wiped. The user becomes enraged, turns against technology, moves to an one room cabin, and becomes the next uni-bomber. This is bad.
Remember it is the metadata babe, and by babe I mean you. (Apologies to Harry Shearer for stealing the babe thing.)
--William Penn