Slashdot Mirror


User: 99BottlesOfBeerInMyF

99BottlesOfBeerInMyF's activity in the archive.

Stories
0
Comments
10,115
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 10,115

  1. Re:Already Built-in solution for running programs on Enso Gives Keyboard Commands to Windows Users · · Score: 2, Informative

    Or, using OS X, you can skip steps 1, 2, and 3 and just hit cmd-space, type the first few letters, and hit enter. It works for programs and files.

  2. Re:Beta tester thoughts. on Enso Gives Keyboard Commands to Windows Users · · Score: 1

    I think the other aspect is tight integration and a fluid user experience.

    Umm, I'm not sure what you mean by this. In what way is the OS X, ubiquitous spell checking service not a fluid user experience? It just underlines misspelled words in red and right clicking gives you options for replacing those words. For other functions, clicking a key combo I defined looks up any highlighted word in 11 online dictionaries and thesaurus, regardless of the program I'm using it in. What, exactly, do you think could be made more integrated or fluid about this?

  3. Re:Here's an idea on U.S. Cities Don't Make the Intelligence Cut · · Score: 1

    I go to the library, primarily for entertainment. Their selection of sci-fi books is excellent. Occasionally, I'll use it to get research materials, but not for normal reference materials. Unless I'm going to read a book on some subject cover to cover, the internet provides better and faster access.

    One thing I've noted at the library is what people are doing there. In general, for every person looking through the shelved books, there are about 15 people using the internet access terminals and about 5 people looking through the DVDs. Times have changed and so have media forms.

  4. Re:Preferences are subjective on BBC To Host Multi-OS Debate · · Score: 1

    You make some very valid points. In my comment comparing OS's I think these are summarized as two bullet points though :) One thing I'd like to comment upon, however, is the following:

    I don't feel that the developers are working against my interests for their own gain, or to get in bed with media moguls, etc.

    I don't feel like the developers are working against my interests as often with Linux, but I do feel like they are working against my interests. This is for several reasons. First, distro maintainers are often large companies that tend to like to lock-in customers a little bit to their service offerings. We end up with distributions that don't work well or easily unless the software is from a particular repository using a particular service provider's service. Likewise, I sometimes feel that maintainers intentionally leave some things hard to configure and set up in the hopes of motivating people to pay for their support offerings.

    Aside from that, I also sometimes feel that the Linux user environment in general is directed towards being a great, free server for power users, even if that means they won't make even minor compromises to make for a better desktop environment for less expert users that want to run some commercial software. Software distribution, installation, and management, for example is way ahead of other OS's for some features, but behind in that they neglect providing for software that is payware, distributed on CD or from a commercial Website, for less expert users. I've advocated incorporating and extending OpenStep into mainstream Linux packages to make up for this deficiency in the past, but always a significant number of Linux people respond that they don't want the complexity and that it is unnecessary (or other arguments that don't actually make sense because they are misinformed).

    Now don't get me wrong. Linux is more likely to be developed with my interests ahead of someone else's than Windows or OS X, but this is still something that could be better. For the record, I use all three OS's daily on the desktop.

  5. Re:Scary.. on BBC To Host Multi-OS Debate · · Score: 1

    It's not the applications in general that are the problem, but the OS itself. The alt-tab doesn't show individual documents open in an application...

    I suspect most of your problems are simply that you are used to Windows and you have learned the keyboarding features on it, but have not for OS X. For example, the OS X method of switching between applications and documents is arguably better for power users than the Windows way. For large numbers of Windows, it is certainly faster. Say you have 100 windows, ten per application. If you have app 1, window 1 in the foreground and you want to navigate to app 5 window 5, on windows you hit alt-tab 50 times. On OS X you hit cmd-tab 5 times, then cmd-` 5 times for a total of 10 key presses. 10 key presses is a lot less than 50.

    Supposing, however, that you have only 9 windows open, 3 per application, going from app 1, window 1 to app 2, window 2 on Windows is 4 key presses and on OS X is 2, but with a chording change that will slow down typists slightly, for no real net advantage to either for speed and added complexity on OS X.

    launching applications can't be done as swiftly as the windows+r shortcut.

    You may be out of date. It can be done just as fast using spotlight and it also applies to documents. cmd-space followed by letters of what you want to launch and enter.

    I use alt-tab more than I use a mouse, and even the alt-tab replacements that are similar in functionality to Windows's aren't as quick.

    Listen, this is just wrong. I use both OS's daily. The OS X method is faster not slower, once you learn it... especially for large numbers of windows.

    I'm not trolling - I worked at a design agency as a PHP contractor, and they put me on a G5. I used OSX for 8 hours every day for 6 weeks, and that was the major problem I had.

    How long have you used Windows? I bet it was more than 6 weeks and I'll bet you're very accustomed to it. It takes a while of regular use to learn to be fast on any OS, and you have to have a mindset of wanting to do it. The fact that you were sort of forced into it, probably made you mentally predisposed to look for problems with it, rather than solutions. Three years ago, you could argue keyboarding on OS X was worse than Windows and have some valid points. Five years ago you could argue it, and not many had use cases that was not the case for. Today, it is not at all true, and keyboarding on OS X is arguably better than on Vista. If you turn on full keyboard access in OS X there are fewer functions you can't get to than on Windows applications (assuming we're talking native applications for each platform).

    I think you're out of date, or simply incorrect.

  6. Re:It's 2007 on BBC To Host Multi-OS Debate · · Score: 1

    Newsflash: Communism doesn't work in practice. Competition is the biggest motivation for improvement; with only one OS, we'd have all the problems of a monopoly, but worse~

    Not to be pedantic, but from a market perspective socialism (I assume you mean this, since any cell large enough to include computer production is indistinguishable from socialism) under our current system would be the government producing the OS, or directing the production thereof. Theoretically this would be directed in the best interests of the people and the decision makers are ultimately answerable to the people, albeit through a supremely indirect route. The lack of competition would, de-motivate innovation and proper decision making.

    This differs from a privately controlled monopoly only in that the monopoly is answerable only to the shareholders and ostensibly acts in the best interests of making the most money while expending the least resources.

    From purely a market perspective, monopolies are actually worse than socialism at making beneficial decisions and fostering innovation.

  7. Re:So...Is The QT Flaw the Only Notable Bug? on Apple Responds to MOAB · · Score: 1

    This is where you specifically mentioned MoAB and this is what I'm calling you out on.

    So you asked a question I had already answered to "call me out." That is empty rhetoric. Please actually stick to the points at hand. If you have a statement make it. If you have a real question ask it.

    You obviously don't get it.

    If "it" is your point, no, I don't. Why don't you state it in plain English instead of asking rhetorical questions?

    You bitch about people being immature WHEN IT HAS NO BEARING ON THIS DISCUSSION.

    Maybe if you're going to use so many caps, it should be in regard to something I actually did say. I never used the term "immature" anywhere in my comments. I called the researchers irresponsible, which they are. That was a large part of the point of this thread. Saying it as no bearing on the discussion is being obtuse. You asked me what the points I was making were, and now you claim a different point, one I never made, has no bearing on this discussion? Well, you're right, but you are the on who brought it up, not me.

    Except you'd rather whine about MoAB disclosing bugs instead of facing the real problem, BUGGY SOFTWARE.

    Gee, there are bugs in software huh? And the MOAB project is going to fix that? Get real. Have you ever done commercial software development?

    Your personal opinion about how MoAB is being run doesn't enter in to it.

    I was responding to statements about whether they were an overall positive or negative influence on security. How they conduct themselves and the actions they take is the only way to determine that genius.

    So you're biased against public disclosure without giving vendors time to patch.

    Can you see the irony of this statement? I state that a method is irresponsible and you label me "biased against it." You should get a job with Fox news.

    Why does anyone care what you think?

    Because I'm intelligent, informed, and experienced. Maybe you've noticed how many people agree with that based upon that fact that half my comments in this article are modded to +5.

    If you're implying that because MoAB releases vulnerabilities publicly that their research is tainted or invalid then yes it's ad hominem.

    But I never did imply that. I said they are likely decreasing overall security. The bugs they find are obviously real. That doesn't mean the project has a net positive influence.

    So, STFU whining about MoAB and how bugs are disclosed. Bugs happen, doesn't matter how or why, you can't control it, deal with it.

    I see, so the point to which I responded was irrelevant. Umm, kinda defeats the purpose of making it in the first place. If you're the same Anonymous coward, just admit you were wrong. If you're a different one, you're off topic or an idiot.

    Apple needs to be more open about bugs instead of hiding them and pretending they never existed once they're fixed.

    Apple does need to be more open about bugs and they sometimes don't seem to provide feedback to bug reporters fast enough, although other times they are very quick to respond. That, however, has no bearing on the discussion at hand, where we were talking about the MOAB people's influence on security, not Apple's.

  8. What is the Best, For Me on BBC To Host Multi-OS Debate · · Score: 3, Interesting

    This article is nothing more than sensationalism. I might as well ask, "what are the best style of shoes?" A useful discussion is what are the benefits of each OS. Using that information a person looking to pick an OS for them, for a given use, can make an informed decision. In a previous article I wrote a list of features where Windows and OS X were respectively ahead of one another. Sadly, not a single person replied with additional features as I requested, while numerous people responded to argue tell me that some feature was not useful (I don't care if it's useful to you) or to argue that their favorite OS was just as good at that, even though they obviously had never used both OS's being compared for that purpose.

    Just for fun, I'm going to copy my list here and add Linux into the equation. This is going to be a lot harder, because there are so many different Linux distros with so many different features and no one has used all of them. I'm going to try to stick to things I've used personally. Please if you have features to add to one list, go for it. If you want to complain that your favorite OS is better for some reason you can't put into words, or if you haven't actually used all the OS's and thus are just assuming the way other OS's do it must not be better, or if you want to argue the reasons for these advantages and disadvantages, please don't bother commenting. Also note, this is in regard to use on the desktop, not the server.

    OS X Wins:

    • Sane UI choices - OS X does not ignore the last two decades worth of human/computer interaction research.
    • System services - global (nearly) spellchecking, dictionary/thesaurus, and plug-in functionality like grammar checking, language translation, only reference lookups, bibliography formatting, etc.
    • OpenStep application bundles - drag and drop installation and uninstallation of most applications, e-mail or IM working programs without having to save installers, run software off an ipod or thumb drive without having to install (including remembering per-machine preferences), easy binaries for multiple platforms, finding resources in packages is much easier and requires no tools.
    • Security - for a variety of reasons that don't matter to most end users, OS X users have never had to worry about malware or worms and probably will not have to in the foreseeable future.
    • Usable shell environment - bash, tcsh, whatever; the CLI on OS X is very usable and powerful and a first class citizen. We'll see if this comparison changes when Monad is released.
    • Automater - scripting usable by secretaries. This is the easiest tool for some tasks and the only automation/scripting I've seen that some novices can quickly learn and use.
    • Included applications - both CLI tools, GUI utilities, and GUI applications, OS X has more and nicer ones than Windows you include iTunes, iPhoto, Preview, etc., etc.
    • Upgrading hardware - upgrading a mac to a mac is as easy as plugging in a firewire cable clicking a button. This saves a lot of time and effort, amazingly better
    • Ubiquitous zeroconf - automatically and instantly finds printers, local chat, streaming music, file shares, and collaborative documents
    • PDF support - create PDFs from everywhere and viewing is fast, fast, fast compared to Vista.
    • Emulation/ports/virtualization/compatability - it is easier to run Linux and Windows software on OS X and there are more options to do so on OS X, than there are to run Linux and OS X apps on Windows (yeah I know about cygwin and Apple's licensing and the relative number of apps)
    • Easier support of third party devices, plug them in and they just work much more often.

    Windows Vista Wins:

    • Application availability - more developers target Windows and eventually a lot of people want to run some niche software that does not work without Windows
    • Not tied to one hardware vendor - If you run Windows you have more hardware choices and likely get a machine that meets you
  9. Re:Response on Apple Responds to MOAB · · Score: 2, Insightful

    Two of the bugs had been reported to Apple one month before MOAB begun. Apple did nothing (and they've still done nothing). One of the exploits was already in the wild (real-world machines being compromised) and MOAB simply reported it. Apple still hasn't fixed that one either.

    Citation please.

    Two bugs are related to stupid design decisions in Safari that date back two years and Apple still hasn't fixed those faults.

    This is incorrect. Several of the bugs (as they list them) take advantage of a design choice in Safari that sacrifices security for usability. To call it a "stupid" choice is a valid opinion, but seeing as how basically no one has been exploited yet due to that decision and seeing as we don't know how many sales it has garnered Apple, it is also a bit presumptuous.

    One bug is related to Apple's stupid practise of making the first user account an administrator and then setting lackluster permissions on system directories. Once again, known for years.

    If you're referring to APE, it was the APE installer that set the permissions in question using administrative privileges.

    You can't blame the MOAB guys for all these problems.

    I blame the MOAB guys for not informing vendors before releasing bugs, an issue which has been confirmed by numerous developers whose applications were affected, and for intentionally delaying the announcement of the bugs to fit with their PR schedule. If they actually did test their Colloquy exploit on live users I certainly blame them for that. These guys are not behaving responsibly and none of the security researchers I know would put their own PR this much ahead of users.

  10. Re:So...Is The QT Flaw the Only Notable Bug? on Apple Responds to MOAB · · Score: 2, Insightful

    The people you're complaining about. The people running MoAB.

    I described several groups of people looking for security holes in OS X and you ask me if I think the MOAB people have a monopoly on looking for security holes in OS X? I'm going to say, "no" and wonder what you're smoking.

    You're contradicting yourself, "they're motivated but they're not motivated enough". Ok.. that doesn't make sense.

    Are you motivated to get $1000? Are you motivated enough to pick it up off the sidewalk if you see it? Are you motivated enough to saw off both your legs with a hacksaw if someone will give $1000 to you?

    With OS X there is motivation, but since the task is more difficult for a variety of reasons, people with motivation exploit something else that is not as hard.

    Any way you want to spin it, OS X doesn't have enough market share to be worth it.

    The additional market share that can be exploited on OS X by adding a zero day exploit to a multi-vector worm is greater than adding most windows exploit vectors. In addition, those machines are more likely to contain certain valuable data commodities and a great deal more notoriety and recognition is possible. Assuming that market share tells the entire story is misguided.

    OS X may be more secure than insert-other-OS-here but it's still going to have bugs and there will be people there to exploit them.

    Again, what is your point and what does this have to do with anything? How does this particular project help that situation?

    I'm trying to figure out your point. You're complaining about something uncontrollable as if it matters.

    My points are very simple. I'm not convinced that there is less security research into OS X than Linux and Windows. The MOAB project is being run in a very unprofessional and irresponsible way and is obviously not being conducted by researchers who should be trusted. Further, due to their methods, they are doing more harm to overall security than good.

    The important thing is how Apple responds to bugs not complaining about how 3rd parties disclose those bugs. It's offtopic and it seems like just another fanboy putting his own personal RDF spin on things.

    You think it's off topic to discuss the methods of a third party in a discussion about Apple's response to that third party? Have you ever thought that the way in which bugs are submitted and publicized has a lot to do with how Apple will respond to them? You're really reaching here.

    Your ad hominem attacks against MoAB...

    Do you even know what ad hominem attacks are? I discussed what the MOAB people were doing that was wrong, not who they are. Please go reread a book on the rhetorical method.

    ...have nothing to do with whether or not these vulnerabilities exist and how Apple handles fixing them.

    Of course the vulnerabilities exist. That's not an issue. The point being discussed was how Apple has and should respond to disclosure that is designed to make them worse than they would be with a responsible disclosure method. Apple will fix them the same way they always do, they look at the problem, fix, it test, and roll it into the next patch. What other options do they have. Just because the MOAB people intentionally spread them out so this process will leave longer windows of vulnerability, there is not really anything else Apple can do, aside from criticize them for their methods.

  11. Re:So...Is The QT Flaw the Only Notable Bug? on Apple Responds to MOAB · · Score: 3, Insightful

    Do you think these people have a monopoly on finding bugs?

    What people? Security researchers?

    Once OS X gets enough market share to be worthwhile to blackhats you're going to see a lot worse.

    OS X has enough market share and other features to motivate people to exploit it now, it just has not had enough to motivate people hard enough to get past the difficulties involved. There is also no guarantee that OS X's market share will increase or that it will become more attractive to hackers at a rate that is greater than it becoming more difficult to exploit.

    If you think researchers releasing bugs to the public without waiting for the vendor to patch is bad then you really won't like it when someone discovers a vulnerability and uses it to create a worm themselves or sells it to someone else that will. This is only a taste of things to come.

    Yeah, creating a zero-day worm is worse than just releasing the bugs in such a way as to make it more likely that someone else will create a worm. What is your point?

  12. Re:So...Is The QT Flaw the Only Notable Bug? on Apple Responds to MOAB · · Score: 1

    There are all sorts of people trying to find bugs in Linux and Windows, but not nearly as many people are doing so for OS X.

    I'm not sure how true this is. Apple is doing audits for security internally, and a lot of security researchers have informally looked into OS X bugs with security implications as well. There are a lot of security people using OS X laptops these days (judging by their omnipresence at conventions the last few years), and they notice things and are interested and motivated.

    As a Mac user, I am glad someone is doing this now and finding these bugs and exposing them to the public and to Apple before there are exploits out in the wild.

    A lot of what this project is doing applies to very few users. Oddball, uncommon applications, deprecated features used for classic, etc. and for the rest their methods are wholly irresponsible. If I wanted to get a worm created for OS X, without getting my own hands dirty, I'd go about it much like this project. Find potentially wormable vulnerabilities and release them without prior notification to the vendor spaced out over time so that a regular QA/Dev cycle could not get them all unless it waited a whole month.

    I'm all about promoting more security researchers to have a go at OS X. Apple should offer a bounty on bugs that could potentially be used for remote exploits. That doesn't make me any more ready put up with the kind of nonsense these researchers are pulling.

  13. Re:ummm on Apple Responds to MOAB · · Score: 4, Informative

    I expected to see an acknowledgment along the lines of "Thanks to the MOAB team for alerting Apple of this flaw in Quicktime." For all we know, Apple already knew about it and fixed it without any help from the MOAB effort. Even Microsoft acknowledges outside efforts that uncover flaws in Microsoft products.

    Apple acknowledges contributions from users who report bugs to them. Just read any of their security patches and about half the items are attributed to a bug reporter outside the company. The question is, did the MOAB really report this bug to Apple as they strongly implied? We know they did not report the bug to the OmniGroup team, since their CEO went on record saying they found out about it from someone who say the MOAB site.

    If I were Apple I wouldn't give these guys credit at all, seeing as they are behaving unethically and irresponsibly. Giving them press just encourages others to behave like this.

  14. Re:Response? on Apple Responds to MOAB · · Score: 2, Informative

    The summary is wrong. Apple specifically said that the fix is in response to a report from MOAB.

    To clarify, they say it was made public on MOAB's Web site. They did not say it was in response to that announcement, nor did they imply that MOAB had reported the problem to Apple, via the normal bug report channels.

  15. Re:Response on Apple Responds to MOAB · · Score: 4, Insightful

    Haven't you just argued both sides of the same point? There's nothing Mac users need to do to protect their machines, yet the MOAB people are accused of exploiting these bugs in the wild? Either one or the other of these statements is, therefore, incorrect.

    No, that is not the case. Apple has an install base of millions. Colloquy users, on OS X, using that software actively on a channel where it is being exploit, in that one week window between the discover/alleged use and fix make up a negligible part of those millions. Adding together all the exploits used in the wild, including trojans, still accounts for a negligible part. I'm more likely to lose data because I got in a car crash which destroyed my laptop than I am to be remotely exploited.

    But that does not mean that the platform is safe.

    This statement is meaningless. Nothing is ever "safe." Even if you have a mythical, perfect computer security system there is the possibility that Illuminati agents will kidnap you, use drug and hypnotherapy, and make you copy all you data onto disc and give them a copy then forget about it. Security is relative. OS X is much better than Windows, but much less secure than OpenBSD. The point is to keep your customers happy by providing most of the with security that is appropriate. Given the lack of widespread exploitation on OS X, they are succeeding thus far.

    "Black Hats" aren't hacking as much anymore just for kicks

    There are lots of reasons OS X is less likely to be exploited, including market share, default settings, and the skill set of most malware authors. New worms already attack multiple Windows vulnerabilities to increase their chances of spreading. There have been cross-platform worms. There are worms that mine data, like online account info and CC#'s The motivation for adding an OS X exploit is there, if it is easy enough. There are a number of worms written for purposes like prestige, attention, and profit that would be more effective if they targeted the Mac. To date, it has not been easy enough.

    Where is the money in hacking a Mac? How many financial institutions rely on Macintoshes for storing sensitive data?

    If you're being directly attacked by a skilled researcher, the Mac is not the best platform. Use a locked down SELinux setup. That does not apply to most people, however. For the data on average laptops that widespread malware is targeting, macs have plenty of it. Half of the Windows machines you hit are going to have nothing of worth because they are owned by people in relatively poor areas, many pirating Windows. Mac users are relatively affluent by comparison.

    How many Macs does the DoD use?

    This is not really relevant do to the same reasons as above, but it is an interesting question. How many do they use? What naval intelligence? What about the CIA. I know some CIA operatives had powerbooks because they handled large satellite photographs and maps better. As for other uses, I don't know. Do you?

    The absence of evidence of active hacking against the Mac platform is not proof that it is secure.

    The relative lack of hacking against the Mac platform is one reason why it is more secure than Windows. Nothing is ever, "secure."

    That's the logical fallacy that Apple is happy to perpetuate, and that the "Mac Nation" will happily swallow. That's the Kool-Ade that I'd like to see fewer people drink.

    99% of people don't know what an "OS" is. If you tell them that Macs are not "secure" and neither is Windows and they need to take a course in computer security to learn safe practices, they'll ignore you as another techno-babbling geek. You might convince them to stay with Windows instead of switching to a Mac because both are insecure, right? Practically speaking the message, "get a mac and you're less likely to have security problems" is more likely to increase the overall security in our current environment than anything else. It gets people to switch to a company that needs to keep customers happy or it loses money and it gives MS incentive to make their machines more secure. Attempts to confuse this message or make it more complex are likely to result in net decreased security.

  16. Re:Microsoft and Apple on EU Countries Call Out iTunes DRM · · Score: 1

    How about this - nail MS, then nail Apple. Sound good?

    Sure, but I don't see that happening. Realistically, I think the choices are Let MS go and nail Apple, or let them both go and hope they counter one another.

  17. Mod Abuse? on Apple Responds to MOAB · · Score: 1

    How is it "flamebait" to link to an article about the MOAB people being accused of criminal activities related to their project?

  18. Re:Response on Apple Responds to MOAB · · Score: 5, Informative

    I was more troubled by the way they treated Omniweb...

    Even more troubling is the hubbub surrounding their Colloquy vulnerability, mentioned in this article. They are accused of actually using the exploit on a public IRC channel before releasing the vulnerability and publishing a log of that hack in the announcement. I don't know if it is true, but given their behavior with the rest of this project they're slipping more and more towards the blackhat end of the spectrum.

  19. Re:I posted this elsewhere too... on Apple Responds to MOAB · · Score: 4, Insightful

    Apple is generally regarded as being slower than Microsoft at patching problems.

    Yeah, I've read those studies in detail. The Window of exposure for exploits was much higher with Microsoft products and they only cover publicly acknowledged security bugs. My info says less than half of the security bugs MS finds internally are fixed ever. I don't know about the situation at Apple.

    ...but according to this study from 2006 it took them 91 days on average to fix known exploits.

    You're confusing the term "exploit" with "potential vulnerability." A lot of Windows vulnerabilities are disclosed when someone notices an exploit in the wild. This has never been the case with Apple, as far as I recall. The window of exploitation is the time between when blackhats start exploiting a hole and when the vendor fixes that hole. That is the number that counts and MS is way behind on it.

    Yes, of course, it's silly to call it the "Month of Apple Bugs" when they are also reporting exploits in third party software. Unfortunately, it's also understandable - the fact that many security problems in Windows are caused by third party software does not stop people blaming Microsoft for the insecurity of the Windows platform.

    Yeah and if an uninformed guy off the street confused these I'd understand, but these are supposed to be security researchers. When that happens, it isn't a mistake, it is knowingly promoting a falsehood.

    Given that quite a few of these third party exploits are privilege escalation (eg instant root), it is Apples problem.

    Certainly I'm all in favor of Apple finishing their MAC implementation and locking down applications and threads, but the chances of being exploited right now is so small that it is not an issue for customers yet.

    I quite agree that these "Month of X bugs" things seem to be quite irresponsible and even immature. I'm not sure what the point of them is, except to make a bad situation worse.

    The point is to generate press for the "researchers" at all costs, even if it means promoting the creation of worms in the hopes that they can get more press out of that.

  20. Re:Response on Apple Responds to MOAB · · Score: 5, Insightful

    Spoken like a true Mac apologist. How dare anybody manipulate any information, timing, or accuracy to make my computer company look bad! Welcome to the world that Microsoft lives in, here's your initiation T-shirt.

    Who cares about making Apple look bad. I'm concerned about the very real security implications of these actions. They're putting people at risk in order to get press and ignoring the established practices of the industry. You can argue for delayed disclosure based upon vendor response. You can argue for immediate disclosure. Now do tell me the argument for not informing the vendor and not informing the public until a specific day. It doesn't matter what vendor they are doing this to, it is still unethical.

    Where is this outrage when an unpatched Windows bug is announced?

    There are valid reasons for announcing an unpatched bug in some situation and I fully support that. In some cases there are even valid reasons for announcing a bug to the public immediately without disclosing it to the vendor first. That said, this is neither of those cases. There is no security justification for immediate disclosure in this case. And, they aren't disclosing immediately, but are delaying disclosure.

    Admittedly, flaws in 3rd party software don't really seem to have any business in the MOAB list, but of the 23 issues they've reported so far I believe only 3 have been for 3rd party apps.

    That would be 6, not 3... or approaching 1/3 of them.

    The fact is that yes, there is a "more responsible" way that vulnerabilities should be handled by the MOAB team. However, Apple could do a better job as well.

    I think that is understating the case. They're accused of actually using the bugs to exploit users before announcing the bugs. That goes way beyond "less responsible" and enters the realm of "probably criminal." As for disclosure times, When you're dealing with a vendor that provides no feedback and has a history of slow bug fixes and you think the vulnerability might be being exploited in the wild and there is a work around, immediate public disclosure makes sense and increases overall security. When you're dealing with a bug in OmniWeb that is almost certainly not being exploited, it makes no sense. These guys provide immediate feedback and turn around security related bugs in hours. Yet the MOAB project not only did not give them hours, they never bothered to inform them of the bug at all and they had to learn of it from someone who read the MOAB and reported it to them from there. That is indefensible.

    The whitewashing job Apple has done demanded (to some people) a highly publicized "retaliation" to prove that, indeed, Apple's feces doesn't smell like roses after all.

    Whitewashing job? Do elaborate. How is Apple covering up security problems or misinforming people?

    This is the message that just doesn't seem to get across to Macintosh users, and until they not only get the idea that their OS isn't 100% secure, and that they need to take precautions just like Windows (and Linux) users then people like this MOAB team will continue seeking publicity more than seeking to "responsibly" get vulnerabilities reported and resolved.

    Umm, but Mac users to date haven't had to take any security measures to have a negligible possibility of malware infection. That could change in future and Apple should be proactive about keeping it that way, but you can always spend more effort on security. I'd like Apple to do more, but so far they have been "good enough" and I haven't seen them misinforming anyone. Some of their Ads may oversimplify, but that is a good thing since most people don't want complex messages about computers security. "Get a mac and you're safer than if you have Windows" is about as complex as the average consumer can handle and remember.

  21. Re:Response on Apple Responds to MOAB · · Score: 5, Insightful

    And I think you are way off here saying they are only looking out for themselves.

    It is the only reason for this method of disclosure I can think of.

    Have you every attempted to do a disclosure with Apple? It's nearly impossible.

    What? They have a bug reporting form on their Website. You don't even have to give them any info on who you are. I've submitted bugs that were fixed in short order, although none were security issues. My coworker a few offices down submitted a local escalation security bug though and it was fixed a few weeks later and he was given credit in the the security update. How is that "nearly impossible?"

    These 30 odd bugs they are going to release would take apple YEARS to fix if this disclosure method was not taken.

    That's just bullshit. If they found the bugs this month and handed them all to the respective vendors then announced the results at the end of next month all the vendors would fix them before the announcement.

    I'm sure both of these researchers are Apple users or such a project wouldn't have taken place.

    At least one of these "researchers" has performed the month of bugs thing on other vendors, one of which was cancelled when he was paid off, as I understand it.

    It's my belief that they are sick of Apple's antics and simply want results.

    If they followed the schedule I listed above, and Apple did not fix them within that one month dev/QA time these guys could scream bloody murder and I'd be right behind them. They'd be following responsible industry practices and Apple would be in the wrong. I'm firmly convinced they did not do this because they were pretty sure Apple would fix the bugs and they would get only minor press once, instead of ongoing sensationalist press.

    Also, before you go to far in defending these guys, you do know they are now accused of illegally exploiting one of their bugs against users before announcing it, right?

  22. Re:So...Is The QT Flaw the Only Notable Bug? on Apple Responds to MOAB · · Score: 2, Insightful

    They have VLC and OmniWeb in the list though. As these are not directly Apple bugs, I would have to lower the number to 21.

    They also have Transmit, Rumpus, Colloquy, APE, and the PDF spec listed, none of which Apple wrote (although Apple did write an implementation of the last). To be generous, you'll have to drop the number to 17.

  23. Re:So...Is The QT Flaw the Only Notable Bug? on Apple Responds to MOAB · · Score: 4, Interesting

    I haven't heard much coverage on the MOAB since the QuickTime revelation -- haven't they dug up any further baloney in the OS or its core of Jobsian iApps?

    They've revealed a number of potentially exploitable bugs, although nothing to really worry about right away, and a number more third party bugs that have little or nothing to do with Apple.

    If the highlight of the month is the damn QuickTime thing, this has worked out to be a fairly dull bug hunt.

    The most interesting thing to come out of this so far is actually a third party bug in Colloquy, a popular IRC client. The bug itself is not all that novel, but the explanation of the bug that the MOAB team allegedly, originally posted showed them using the vulnerability to hack users on the popular #macdev on Freenode IRC. Basically, many people are claiming they posted a log of them not only behaving unethically, but illegally before even announcing the vunlerability. The explanation of the bug they now post no longer contains that log. For more information check out the article and the accompanying forums.

  24. Response on Apple Responds to MOAB · · Score: 5, Insightful

    So what is the proper response to the MOAB people? They are revealing real bugs, some of which could be exploitable. Ignoring them leads to decreased security. At the same time they have behaved very irresponsibly with regard to those bugs they have found, not notifying the vendor and providing time to fix before publication, nor following the route of immediate disclosure, the MOAB people seem to think it is all right to sit on bugs they find until the most convenient time for them to gain publicity. Worse, they intentionally space out the publication of the bugs, making a Dev/QA cycle to fix them have to wait till the end or commit to missing some. As such they have maximized the time of exposure for these bugs which encourages worms by giving malware authors as much time as possible.

    Obviously increasing the security of end users is not the top priority. Accurately informing the public does not also seem to be their top concern since they named their project "Month of Apple Bugs" while many of the bugs they've announced are in third-part code (some of it cross-platform) that has nothing to do with Apple. It seems to me all they care about is publicity and sensationalizing themselves in the hope that they can capitalize upon it. Looking at them in that light, it makes sense to spread out the announcement of these bugs and not inform vendors beforehand because it increases the likelihood that people will be compromised, giving them the opportunity to go to news outlets ands say, "see we told you this might happen."

    Given all of the above, what can be done? I'd certainly never want to work with people who eschew responsible disclosure and are interested only in themselves, nor would I trust them. But any press is good press, and most people are not security people and won't even understand what it is these people are doing, they'll just know they got press for security research. Is there any way the security or computing community can discourage this crap in the future and make it clear that irresponsible behavior like this is unacceptable?

  25. Re:Enough CNR like things... on Linspire's CNR Goes Multi-Distro · · Score: 1

    Do you have a good reason for wanting that, or are you just a fan of drag and drop?

    Drag and drop installation from CDs or whatever is a usability win. Drag and drop un-installation (or the delete key for power users) from anywhere is a usability win. .app packages are portable without an installer. I once saved my company a lot of money by IM'ing an application from my hard drive to a worker in another state. The app was closed, commercial, and no longer distributed, thus would not be in any repositories. If we had been running Linux, we would have been screwed since who archives installer packages on their desktop? .app bundles can easily be copied onto portable media like CDs, thumb drives, network drives, and iPods and plugging them into different computers with different processors still works and saves preferences for each machine. This matters a lot for commercial software, but most Linux distros think in terms of open source software only. This is a deficiency. With .app bundles I always know where the resources inside the package are and they are easily accessible. Better yet, if I'm using ACLs of any sort, it is simple to restrict the application to its own package and the preference file(s). If I upgrade to a new machine all the application bundles can move with me, even to different platforms, without having to reinstall, change preferences or re-register. If Linux had more commercial packages from companies that distribute the software themselves, this would be a big pain point.

    With app-folders, the .app file needs to contain all of the non-standard libraries (or worse: have you resolve dependencies manually). It's grossly uneconomical...

    Disk space is cheap. If I'm running something with limited space or that needs to be stripped down the OS should be able to strip unneeded packages and consolidate and already there are tools to do that.

    ...requires manual upgrading of every separate app...

    You're confusing a disadvantage of not having a package manager with a disadvantage of OpenStep bundles. I, personally, favor having both... a package manager that manages bundles.

    ...and doesn't work in a free software environment.

    Whaaa? Why not? Bundles work for both open and closed source, which is what is needed if an OS wants to be flexible. I'd even advocate extending OpenStep packages with repository info and source, licenses, and build instructions.

    I want it all. When will an OS give me all the benefits of package management and all the benefits of OpenStep style packages?