Just FYI: correlation does in fact imply correlation.
No correlation is correlation, there is no implication involved. Something does not imply itself. Being green does not imply that something is green. The famous quote is that correlation does not imply causation, which is true. Causation is, however, one possible and usually testable factor that could create a correlation, and thus it is often a starting place for experimentation.
IGN did something rare for modern media and actually cited its references. The one you're probably interested in looking up is the first listed
I did look up this particular study out of curiosity and I'm significantly underwhelmed. Mr. Anderson does not seem to do much in the way of experimenting, but like to statistically analyze the results of other studies. Further to provide support for his papers it seems he likes to cite himself (his previous papers) as all of his primary references. He also seems focused on media appearances and speaking engagements, which makes me somewhat suspicious of his motives.
Maybe he's on the up and up, but he certainly does not seem to be very thorough or scientific. His abstract begins with the theory that since TV and movies increase violence, video games probably do as well. He then describes his "meta-analytic" review of other published articles from which he supports his belief. It may be a way to get grant money, but it isn't science.
Did it ever occur to you that, yes, maybe you did miss a memo? I mean, why would you just assume that because you haven't heard of something it couldn't be true?
They did not just state that there was evidence to support a theory they stated there was a large body of evidence supporting a theory. It seem perfectly natural to be incredulous that one could have missed such a large body of evidence and ask for some of said evidence. Is someone were to start a statement with "Since there is a large body of evidence showing that gravity really does not exist..." I might react incredulously as well whilst I asked for evidence to back up this claim that seems to contradict most established study in a field. I don't see anything at all wrong with the previous poster's reaction.
imply |im?pl?| verb ( -plies, -plied) [ trans. ] strongly suggest the truth or existence of
There is a strong correlation between red hair and people who live in Ireland. Would you then say that fact strongly suggests that it is true that living in Ireland will cause you to have red hair? I didn't think so.
It is my policy to never point out grammar or spelling mistakes on forums unless I am quoting someone, can't understand the intended meaning, or that is the purpose of the forum or thread. I just thought it was amusing that in an a thread about computing and education someone could include so many grammar and spelling mistakes including misspelling 'illiterate.'
To get on topic though, I really think this varies from school to school. Some educational institutions employ and create more OSS than nearly anywhere else. Others are strictly MS shops that buy whatever the MS rep tells them to. Some employ top notch IT people both as permanent staff and recruited from the cream of the student body. Others outsource it all. Some schools employ software in a way that complements and enables the learning process while others try to bolt on some sort of computer training. I'm not sure we can really generalize this sort of thing and we need to look very carefully at any funded studies to see if they have an agenda.
But i belive in this case this was just a shot to sell their own service, the main question is since its their network are they really ALLOWED to do this?
Sure, just as soon as they give up all their lines using publicly owned right of ways and are willing to no longer be protected from legal action for all the copyrighted material and kiddie porn they republish from router to router. That is to say, when they are no a government mandated local monopoly with special protections and privileges they can stop upholding the responsibilities of a common carrier that requires that treat everyone on their network, including services they offer themselves, equally.
Re:Do we have evidence that Intel coerced...
on
AMD Subpoenas Skype
·
· Score: 1
Skype into this relationship? Why is this not a perfectly acceptable competitive advantage offered to a partner?
If Intel is shown to be a monopoly then this is pretty clearly trying to build an artificial barrier to entry and concievably runs afoul a number of antitrust laws in various jurisdictions.
I knew Slashdot was mostly garbage, posted by semi-literate idiots, and moderated by anti-authoritarian libertarian anarchist nerds without girlfriends, but this giving this post a '5' takes the cake. Really. Talk about exposing the moderator's agenda!
Then why don't you take your ad hominem attacks and inability to address any relevant points and leave mr. coward?
It personally insults the original poster, by saying "cowards like you make me sick". If you said this type of thing to someone in person, they'd either laugh at you and call you names like God-damn spotty four-eyed pinko America-hating nerd, or they'd punch you in the nose, or they'd do both.
That's funny, I have called people cowards in person for claiming that Americans should act in this cowardly way. None of them have called me America hating or punched me. Being cowards they have all put their tails between their legs and skulked off. You see that is the defining feature of a coward, they act in a cowardly way.
History has not shown that [acting the way the USA is now] will lead to more suffering and pain, in my opinion.
...and you call the average person here semi-literate? Maybe you should actually buy a history book.
but leaving airport security as it was before September 11 2001, and simply allowing the West's (and by extension, America's) enemies to plot attacks at their leisure by not intercepting their communications seems to me dangerously naïve.
When you finish your "hooked on phonics" course you will be able to actually comprehend what I originally wrote. The changes to the security at airports have not increased security as has been demonstrated time and again. Changes that inconvenience people but don't actually increase security are useful for what reason again?
The danger posed by "terrorists" is miniscule compared to the danger posed by our own government.
You'd also better believe that the West has enemies that are plotting attacks. There are branches of Islam that utterly despise Westerners because we don't share their crazy islamo-fascist belief system and social structure, and because we have a lot of geopolitical power. Just ask the Danish.
Sure. There are branches of christianity that hate all easterners because they don't share their crazy christo-facsist belief system. So how does invading a country full of Islamics, killing huge numbers of them, destroying their infrastructure, looting their funds, selling off all their businesses and natural resources, and imprisoning many of them, raping, and publishing pictures of said rape going to solve the problem? Oh wait its not it is going to make it much, much, much worse. Now people have a lot of very good reasons to hate westerners and not just people in the east.
It seems to have become fashionable amongst the extreme left to say that there is no danger from any foreign organisation or state, and that it's the American Goverment that's the big, bad monster (as it always is apparently).
It seems to be a social disease among the ignorant and slow of thought to try to consolidate everyone who disagrees with their moronic assertion into one group (either the right or the left). By your definitions Thomas Jefferson, Benjamin Franklin, and Andrew Jackson were a bunch of leftist, pinko faggots. Our country was founded on the concept that you can't trust a large centralized government and that it is a huge threat to the people it purports to rule. We were commanded to be "eternally vigilant" in watching our government. I guess you did not bother to read that part of the history books huh?
Just take your ignorance and logical car wreck and go back to your political propaganda of whichever flavor you enjoy. You obviously don't have the critical thinking or logic skills to make any useful contributions except as an example of what kids shouldn't let happen to them.
Hum... Well I am currently sitting in the second largest city in Iraq in support of OIF. I work with the Iraqi people everyday. The above statement is based on this persons guesses and media-hyped opinions. Just flaming another person because they disagree with his personal (and not all together educated) view.
Well I'm sitting in the US city with the largest middle eastern population in the country and I hear comments every day. I hear muslim friends from Pakistan, Turkey, and Iraq comment on how much they hate what the US is doing. I heard one who works for the army comment how when his friends back home found out he regularly met with army brass without any real security they jokingly told him he should blow them up. I also hear interviews done by the BBC and other relatively impartial news sources. You hear people complain that they no longer feel safe or have consistent clean water, electricity, education for their children, etc. A lot of people have lost loved ones and a lot of people have fled to other countries. Did you ever think maybe the people who are angry either don't let you know (for any one of many reasons) or don't interact with you?
Your right the system is not perfect and should be replaced by no system at all. NO security is obviously better then bad security... Dumb ass!
This is known as a false dichotomy. It is not either have security or don't. Every change in the security system can have positive, negative, or no effect on security. The changes that have been made don't increase security but do cause inconvenience. Almost every security evaluation has shown this. The inconvenience is a placebo to make people feel safe and is counter productive to everything except misleading the people to get more votes. You see we can increase security. Just making the cockpit inaccessible from the rest of the plane would be a large step, something Israel has mandated for years. We don't, however, make real improvements because that is not the goal of the people passing the laws. Get it?
Even the Democrats say we are. You can rant all you want about that, and it's not going to change.
The democrats are as corrupt as the republicans. A war in the sense that the law allows war powers has nothing to do with a "war on terror" or a "war on drugs." Those are just ridiculous rhetoric.
The entire American intelligence community would revolt if that was the case
I see just as the did under McCarthy and Nixon and during the 50's, 60's, and 70's? Agents follow orders and this same scene has played out and been exposed again and again. The intelligence community does not revolt, usually the press exposes them.
I sincerely wish you could be here to say that to my face, because sir, I would cram those words down your throat.
I seriously doubt it.
you don't take what we're facing seriously, and thus you are most certainly a fool.
Yeah because historically poor people in third world countries halfway around the globe have always been such a large threat to us as compared to the actions of our own government. Oh wait that's not the case? You're an idiot. Buy a history book. The people responsible for 9/11 died on 9/11. They were flying the planes. They were pissed off because of what the US has done overseas and with quite a bit of justification. A lot more people are pissed off now, like most of the world to some degree or another. Ask yourself why we've gone out of our way to invade a foreign country and kill so many people, both civilian and soldier. Why have we made so many needless enemies? Who that had a say in what happened benefits from our having enemies?
We're not at war with terror, we're using terror to control you and cowards like you. Bin Laden is not an enemy of the state, he's a great way to win votes and pass legislation. Want to save america from the terrorists? Lobby for a free firearm and training for every US citizen. Stop the creation of new terrorists by stopping our murders and theft in the middle east.
" Yes" isn't what's on the button. "Yes" is "whatever button approves the action". There's all kinds of things on the button.
Why don't you provide an example of what you're talking about. As near as I can tell you're just making crap up here. First you said they'd click "yes," then that "yes" was an action, and now "yes" is not a button it is something else related to some sort of button with other stuff?
Including "Open" and other "active phrases". The training doesn't depend on the layout or the details of the button. Muscle memory takes over.
Muscle memory applies to finding common locations on a screen. Usually it only applies to the edges of the screen since you can't "memorize" how to go to the middle of the screen from an arbitrary starting point. When a user is not presented with a dichotomy in a formulaic way it does not apply. If dialogues provide multiple options with different wording depending upon the situation how is someone supposed to be trained to click a particular option? Always click the leftmost button? That will provide the desired behavior less than 50% of the time and seems unlikely to train users to do anything by rote.
That's why on the Mac you don't have dialog boxes popping up when you throw files into the trash, like you do on Windows, because routine "are you sure?" dialogs (no matter how they're worded) get ignored.
No, it is because they are unnecessary. You do get a dialogue if you try to perform lots of actions but only when a decision must be made by the user. Because the user has already chosen to throw something in the trash, there is no point asking them again. If, however, a new program wants to access a user's IM buddy list the computer does not know if the user wants that program to have access, so it should ask. If it is a new chat client or contact database, this will not seem unusual to the user. If it is game called "smack the monkey" they might decide they'd rather it does not read their buddy list. Thus the computer should ask.
Stopping and thinking is the key, not what you're stopping and thinking about.
What are you ranting about? The choice is ask users when new programs want to do something suspicious and give them the option to stop it or don't and I think the proper answer is obvious.
It ran a script in the shell using the Terminal as the mechanism to get to the shell.
Yup, but it would have had less chance of doing damage if it had run in a sandboxed shell. I'm not arguing that Safari auto-execution is a good idea, merely that it is not the only problem and an extra layer of security will stop both attacks that use that vector as well as other vectors.
If the commercial application is in a sandbox, then all the data that application uses and needs is in the sandbox, which means that things that matter to the user are still exposed to compromise. And on top of that, now the user has to keep track of which sandbox which applications are in, and manage even more complexity.
Sigh, you're completely missing the point. Every application should run in its own sandbox and have access only to the files, functions, hardware, other software, etc. that it needs. Especially, certain suspicious behaviors should be restricted by default for new applications. If you install a picture editor the OS should ask when it wants to access your images for the first time. It should ask again the first time it tries to access your e-mail address book or the internet or your taxes unless you have specifically granted it the right to view/edit those files
You're better off forgetting that scheme, and go straight to an OS with mandatory access control, and give every application a classification group, rather than trying to reverse-engineer one by playing games with jails and discretionary access control.
ACLs, jails, VMs, it does not matter the sandbox mechanism so long as it is fast and functional. It does need to be user configurable
We are at war. We are at war with a stateless foe that moves from place to place easily.
Bullshit. We aren't at war. You can't wage war on drugs or fear or anything else other than a foreign nation.
The NSA is tracking calls from this foe. This foe calls American phone numbers, and in some cases, American citizens.
What makes you think that? The NSA is spying on americans. maybe they are citizens that are in contact with foreign agents. Maybe they are citizens who donated to Kerry's election fund. We don't know because the administration has refused to obey the law and even get warrants in the top secret court set up for that purpose. We do know they broke the law because they admitted it.
will some of you learned people please tell me why it was good for FDR to monitor communications between Nazi and Imperial Japanese intelligence, and their assets here? All without a warrant, simply because wartime national security took precedence? And why can't Bush do the same?
Well for starters because Bush has declared that we will now and forever be perpetually in a state of war against an abstract concept. This is not an emergency situation, this is the government intentionally breaking the law and spying on its own citizens during peacetime. Terrorists are not a threat compared to an enemy nation that is conquering large parts of the world. More people die every week in car crashes than died in 9/11. What's next a war on car crashes to justify tracking where each and every car goes all the time?
You cowards make me sick. Someone yells "boo" and you look for anyone to protect you and take care of you, even if it is the one person history has shown you should never trust, the career politician who chose to devote their life to a world of lies and gaining power over others. You know what violent crime and terrorism are much less in Japan. Why don't you just move while those of us who still believe in freedom and courage stay here and face all these big, bad terrorists.
Those who fear the government... Are doing something illegal.
What about those who fear, and have been proven correct repeatedly that individuals within the government are the ones doing something illegal? What is it about the government that makes you think anyone elected or assigned to a post within it should immediately be able to commit crimes?
I am completely fine with government doing what is reasonably neccessary to protect me even if my phone conversation with my ji-had buddies is being listened in on.
And you can provide what assurances that this what they are doing instead of illegally spying on political opponents and blackmailing other government officials as has happened every other time a government agency has lost transparency?
I know that we should have freedoms, but in a post 9-11 age, there is certain information that should not be released for the public to have. This is why we elect government officials. I love freedom, but I am willing to give some up if it means my wife and daughter are safer as a result.
What makes you think your family is any safer? They are already about as likely to die by accidentally drowning in a bucket as by being killed by terrorists. The risk of terrorists is statistically negligible and the actions taken by the administration seem mostly to be PR. People are forced to stand in extra long lines at the airport so they can feel safe but investigative reporters can still sneak anything they want on board and random people accidentally board while wearing six inch hunting knives they forgot about. What makes you think that anyone is even trying to make your family safer? More successful attacks result in more fear and more opportunities for bureaucrats to expand their power and make money. Hell Iraq is the fastest way conceivable to make terrorists who hate the US. We've done everything possible to create angry, frightened people with nothing to lose and an unbelievable hatred of the US.
Cowards like you make me sick. You cringe in fear at a PR campaign and willingly give up all the freedoms your ancestors fought for in the hopes that someone else will protect you, even though they have no reason to do so. If you want to be a coward at least be a smart coward and act in ways that might protect you, rather than ways that history has shown will lead to more suffering and pain.
Umm, the guys who write Web development tutorials for Apple are probably not the same guys that code the OS and applications. This tutorial wasn't actually written by Apple, they are just distributing it. You know the guys in finance are still working on accounts and haven't stopped to try to fix bugs in code either. I've been annoyed by Apple's weird handling of metadata versus extensions since they announced it but you are way off base in complaining about this as if it had some relation to security issues.
I agree they should have tighter permissions there, but for a single-user system there's really no difference to the exposure from/Applications or ~/Library.
Perhaps, perhaps not. It is certainly a lot easier to infect existing applications when you actually have access to modify those application in their default location.
I didn't say they clicked "OK", I said they clicked "yes". That "yes" could be (and IS) just as often an action (like "Open") as not.
"Yes," is not an action. Actions are verbs or active phrases. A user can become conditioned to always click on "Yes." A user can just not read a dialogue box and click "yes" under the assumption that it will make things work. It is a violation of Apple's HIG and with reason. Here are two sample dialogues:
Something something something (Yes)(No)
Something something something (Open)(Don't Open)
The latter example is a good design because even without reading the dialogue the buttons convey information and are actions. You know you are opening or not opening something. Also, due to the psychology of human/computer interaction most people are a lot more likely to read the text in the latter example. Ideally the buttons would actually be more explicit and provide even more information, but I'm sure you get the idea.
No, the first LaunchServices failure was in 2004
Ahh, you're talking about the old vulnerabilities, not exploits. I was referring to the most recent three pieces of malware, which were droppers/trojans for the most part. In any case to take the most recent example, it automatically ran a script in the terminal. That script should have been sandboxed (well it should not have been run in the first place but assuming it was due to this vulnerability or being a trojan) and should not have been able to do much of anything without the user being warned of the new script and given the option of allowing or stopping specific actions of that script.
No, they would like that ability, but I can't see any way to give it to them without radically changing the way modern games work. They need network access, they need significant amounts of persistant storage. They need to be able to download and install updates. Taking that away is just not going to happen.
There are certainly pain points. Some games need internet access and some don't but very few need to send e-mail or IMs or need access to any files outside a sandbox. There is no reason they should be restricted from writing files, so long as those files reside within the sandbox and don't overwrite anything. As for updates, well that and registration can be solved by building an official OS service for updating and registering that follows specific formats and is not restricted by default. There is a lot of low hanging fruit here that can be gathered. Just restricting access to e-mail addresses and IM buddy lists would stop a whole class of spam motivated malware.
Today, the only apps you get that way that aren't otherwise verified and checksummed are pirated games on peer-to-peer networks, and it's easy enough for the user to avoid that. People who download files from the original author's site don't have that problem. If the file is infected, then they KNOW where it came from.
That is not so, actually. There is plenty of spyware in particular that is distributed to the unknowing. There are open and closed source products that someone adds a backdoor into. There is commercial applications that want more permission to do things than users want (like randomly calling home and sending unknown data). And there are traditional worms and viruses that auto-install themselves through some hole in the firewall or service. All of these are executing code that would be a lot better for the user if it was in a sandbox.
Get rid of automatic execution paths that can get code injected into them, and reduce the problem to education, and the virus problem will remain, at wor
It's been demonstrated time and time again that a barrage of dialog boxes will not solve the problem.
No, it's been demonstrated that really poorly crafted dialogue boxes that the average person can't understand, always provide the same two choices, and don't give the user the option to select what they need does not work well. I think anyone who has ever read a book, taken a class, or practiced UI design or usability could have told you that without ever seeing the system in action. Just because the implementation in Windows is horrible does not mean it cannot be done right.
The user either a) figures out the appropriate set of yes/no answers to get the result they desire (ie: running the program)
First, you don't give them "Yes/No" answers. You give them buttons with actions on them like "Don't let it read my e-mail address book." Secondly, the whole point is for them to get the result they desire, but they have to be told what is happening and given the option to actually do what they want.
Here's a little story. Back in the day everyone would get Word files with macros in their e-mail. When you opened such a file you'd get a warning that said something like, "Warning this file has macros enabled and may contain a viruses (OK)(Cancel)." I know managers who would have paid thousands of dollars to anyone who could add a third button to that warning dialogue that said, "(Open the file but don't run any macros)." Eventually MS did add such an option, but the problem this demonstrates is not that dialogue boxes suck. The problem is the user was not given the control they needed.
Right now most users face this same decision. you can install an application and trust it with your internet connection, personal files, contacts, full control of your hardware, and all your keystrokes or you can just not use the software. Users want and need a third option to "run the program but don't let it screw anything up." Uncle bob wants to run some game, but he wants to do it safely. And really how often is he going to install a program that he does want to have access to his kernel, address book, and internet? So often that an extra dialogue box is going to be a huge pain?
b) gets so frustrated with the "broken software that won't let me do anything" they move to some other product that doesn't have the same "problems".
If the software won't let him do anything or is getting in his way unnecessarily then it is poorly designed. Defaults should be set for the most common cases. I don't think users will be upset if they get a dialogue box warning them, in plain and understandable English the first time a new program tries to access their buddy list and asks if they really want that program to have access. Ditto for editing files created by other programs, modifying the OS or other programs, accessing the e-mail address book, sending e-mail, etc. The vast majority of the activities that people make trojans to do are things users very rarely want to do and thus double checking on them will not get in the user's way. In fact, I think most will be happy to understand their computer for a change and be reassured that their computer is not letting just anything do anything it wants.
Anyway, all the pre-installed software will already have their access configured so the only possible pain points are for third party add-ons. In which case maybe a user will migrate to a different program that does not throw up lots of dialogues. That is a good thing, it means the software is not behaving in ways it should not behave in the first place. I already avoid userspace software that wants to write kernel modules and contact random IP addresses in Europe (I'm talking to you Adobe). Informing users and giving them control will help make for better software because it will make for more informed consumers.
Basically I disagree that dialogue boxes cannot be well implemented and I disagree that this would inconvenience users as much as you seem to think it would. Users don't have the control they need or the info and option to exercise that control. Until they do, trojans will spread because users have to make uninformed guesses.
Laws never have anything to do with the 'stated purpose' of the political hack that is putting it forward.
I'm talking about the stated purpose as written in the laws themselves, not what some politician happens to have said about them. You might note I suspect there was some copy/paste going on since the laws from several states are very similar.
I think we're mostly on the same page, but I think OS's should be improved to make users safer, while you are arguing more for education (something I think is just too complex for the average couch jockey given the state of the art). I honestly think that if not for the Windows monopoly OS's would have implemented this sort of control years ago to give average users the option to "run the dumb game without letting it fuck anything up." I agree that java/flash etc. are part of the way there, but it needs to be taken the rest of the way. The OS needs to have the UI built to let users actually control the sandbox and all programs need to run in it by default. I'm not talking about taking control away from users, I'm just talking about giving them more finely grained control and the information they need to use it within the UI.
This isn't an "Administrator" problem, this is a "default permissions are too wide open" problem.
Call it what you want. The default user account most users will use has too many permissions. Obviously these can be changed, but that does not help the problem as anyone savvy enough to change their permissions is not likely to be using the default admin account for normal use anyway.
That's not as significant a problem as it seems, because there's plenty of places an application without write access to/Applications or/Library can hide.
The problem isn't that they can hide, it is that they can overwrite/modify commonly used and trusted applications and user settings.
This is the same "last minute" security that Microsoft has attempted to use for years and failed miserably at. The main thing it does is condition people that when they do stuff on their computer, it brings up annoying dialog prompts all the time, and you need to approve stuff. These "false positives" on Windows happen far too often, and I can't tell you the number of times I've had to repair or re-image somone's computer because they'd automatically clicked "yes" by reflex.
The Windows implementation is abysmal and stupid, that does not mean they all have to be. Windows users click "OK" all the time because they are conditioned to. Apple's HIG and most anyone with a clue will tell you that you need to provide buttons that are actions, thus the user has to read them and can't be conditioned to act on reflex. They also need to build dev tools and encourage coding practices that encourage properly behaving applications. You don't throw up a dialogue that says, "CoolGame is connecting on port 22 (OK/Cancel)." You display something like, "The program 'CoolGame' wants to access the internet in a way usually used to log into the command line (Stop it from connecting to the internet)(Allow it to connect to the internet)(Open Advanced Config Options)."
this wouldn't have helped prevent ANY of the three failures of Safari's use of LaunchServices, because none of these attacks involved new applications.
What? They all involved new executables launching. Just because Safari launched them (in two cases) or a user manually launched it does not matter. All new executables should live in a jail unless an expert user goes out of their way to install them outside of one.
When trojans were almost the only type of attack users needed self-control, and the way to create it isn't to bombard them with pointless fire drills... it's to shut down ANY mechanism designed to be "helpful" by auto-executing anything except plugins and helpers designed for security through a secure path.
No the way is to give them the control and information they need. If the average user wants to play a game they need the ability to do that without gambling that it won't compromise their system. Having to choose between completely trusting an application or not using it is not acceptable to users and that is the choice most users have today.
Things like jails and improved permissions are useful, but by the time they're necessary the battles more than half lost.
People will download and run executables for one reason or another. They need good jails/VMs/ACLs so that they can do so safely and they need good default restrictions on those so that exceptions become obvious. This could result in tons of unnecessary warning is developers insist on asking for more permissions than they should have (and some will) but those application developers will lose out in the market because users will find clicking through and adding permissions to be a pain and because they will learn to not trust those applications. If your program phones home, users will know. If it installs hidden files in crazy places, they'll know. If it patches the kernel to add a copy protection mechanism, they'll know.
Go read the whistleblower statutes. You're incorrect.
Actually, I have read them both for this state and several others. I was speaking of the stated purpose of the whistle blower statutes, which I was paraphrasing. The details of the implementations may or may not actually do that, but the majority of them state that the purpose is to protect the interests of the people by offering protection for those who act in the interests of the people when that interest is in exposing government corruption, public health dangers, and other topics of great concern to the populace.
The Mac OS X "admin" user is a regular user account, it's nothing like "Administrator" on Windows or "root" on UNIX. Unless you SU to a real admin account (which is what you're doing when you type in your password to a security dialog) the OS doesn't give you any more rights than any other user.
You are misinformed. The first account you create is an administrator. It can do a number of things without being prompted for a password that regular users cannot. This includes writing to the global Applications and Library folders, which one of the recent pieces of malware (Leap_A) takes advantage of. This means most users(who are admins) will not be prompted for a password to say modify or overwrite iTunes.
The default permissions for new applications give them no more rights than the user running them.
Which are far too many. A user can obviously read their own address book, buddy list, send e-mail, send IMs, transfer files, access the internet, or delete everything in their user directory. That does not mean a "game" you download from the internet should be granted these privileges by default. New applications should placed in a jail or VM and only granted any of the above privileges after the user is asked. Most malware these days requires no human intervention, but eventually that may change. When trojans become the most common type of attack users will need more control and it is better to build it now and get it well tested, than to wait until it is a really big problem and companies have decided to solve it in a less useful way (think MS controlled white-list of programs with accompanying tollbooth fee).
Of course, `common sense' isn't really that common, among Mac or Windows users. This.exe/.sit file that somebody mailed me lets me play elf bowling? Give me some of that!
I take exception to this. There is no reason at all using a properly developed OS the average user should not be able to run a random game from the internet without their machine being compromised. Users can be the weakest link in the security chain but you have to give them the proper tools before it comes to that. When a user downloads some random executable and runs it the OS should warn them it is an executable, but it should also quarantine that program in a VM or similarly restrict it. I mean how often do you download something at random and want it to access the internet, be able to access your personal files without permission, log keystrokes from other applications, overwrite other programs, or modify the OS in a significant way? Whenever a new program wants to do any of these things the user should be prompted and given the option to allow or disallow the behavior and it should be presented to them in plain language and with real options (not OK/Cancel). Build that functionality into the OS first, then provide a small amount of education. If users still screw up you can complain that they have no common sense.
Honestly, I get annoyed when users do dumb things too, but they should not have to be experts to do common tasks. In reality most OS's these days do a piss poor job of providing users with the functionality, control, and information they need. OS X may be a little better than Windows in this regard, but it is nowhere near good enough. The main reason it seems well done is because it is standing next to the poster child of easy compromises. There are real improvements that need to be made and probably would have been made by now if progress had not been brought to a crawl by a certain monopoly.
User education is important, but it should be a two hour course if users are given the proper tools, not a four year degree to be a harder target than the average.
As far as I know the only exploits in the wild involving OS X have been social engineering attacks... trojan horses convincing people to execute programs. These aren't security holes.
Actually, I disagree with this one. An installer that configures an admin user and does not prompt the user to create a regular user account is a security hole. Default permissions for new applications that permit them to modify existing applications without warning are a security hole. Of course since these security holes exist as a matter of course in pretty much all OS's (maybe not bastille linux, or some other rare secure OS variant) so they are rarely looked upon as such. I see your point though. They are not holes as many people would think of them and not in the same way as one would think of a Windows security hole.
I see Apple's mistake as being to offer the "Open Safe Files After Download" feature.
Well, that is part of the problem, but not the most serious problem, IMHO. The main problem is that an executable file type can disguise itself as data. This is due to a pragmatic but dangerous decision made by Apple. In OS 9 Apple relied upon metadata stored within a program to determine what it was (data type and or application). In OS X they reverted to the more crude file extension to store the type of data or executable. This introduced a number of problems including hiding extensions and the old "foo.jpg.exe" type obfuscation. Even more dangerously because of the OS 9 compatibility requirements it provided two completely different means of identifying file types which could be contradictory and invisible to the end user. Switching to using extensions was practical even if it was backsliding. Keeping the old method for compatibility was practical as it allowed old software to still run cleanly. The conflict, however, now needs to be resolved. Turning off "open safe files" by default is probably the right behavior, but it is no where near as serious as the other problem this highlights.
Just FYI: correlation does in fact imply correlation.
No correlation is correlation, there is no implication involved. Something does not imply itself. Being green does not imply that something is green. The famous quote is that correlation does not imply causation, which is true. Causation is, however, one possible and usually testable factor that could create a correlation, and thus it is often a starting place for experimentation.
IGN did something rare for modern media and actually cited its references. The one you're probably interested in looking up is the first listed
I did look up this particular study out of curiosity and I'm significantly underwhelmed. Mr. Anderson does not seem to do much in the way of experimenting, but like to statistically analyze the results of other studies. Further to provide support for his papers it seems he likes to cite himself (his previous papers) as all of his primary references. He also seems focused on media appearances and speaking engagements, which makes me somewhat suspicious of his motives.
Maybe he's on the up and up, but he certainly does not seem to be very thorough or scientific. His abstract begins with the theory that since TV and movies increase violence, video games probably do as well. He then describes his "meta-analytic" review of other published articles from which he supports his belief. It may be a way to get grant money, but it isn't science.
Did it ever occur to you that, yes, maybe you did miss a memo? I mean, why would you just assume that because you haven't heard of something it couldn't be true?
They did not just state that there was evidence to support a theory they stated there was a large body of evidence supporting a theory. It seem perfectly natural to be incredulous that one could have missed such a large body of evidence and ask for some of said evidence. Is someone were to start a statement with "Since there is a large body of evidence showing that gravity really does not exist..." I might react incredulously as well whilst I asked for evidence to back up this claim that seems to contradict most established study in a field. I don't see anything at all wrong with the previous poster's reaction.
imply |im?pl?| verb ( -plies, -plied) [ trans. ] strongly suggest the truth or existence of
There is a strong correlation between red hair and people who live in Ireland. Would you then say that fact strongly suggests that it is true that living in Ireland will cause you to have red hair? I didn't think so.
It is my policy to never point out grammar or spelling mistakes on forums unless I am quoting someone, can't understand the intended meaning, or that is the purpose of the forum or thread. I just thought it was amusing that in an a thread about computing and education someone could include so many grammar and spelling mistakes including misspelling 'illiterate.'
To get on topic though, I really think this varies from school to school. Some educational institutions employ and create more OSS than nearly anywhere else. Others are strictly MS shops that buy whatever the MS rep tells them to. Some employ top notch IT people both as permanent staff and recruited from the cream of the student body. Others outsource it all. Some schools employ software in a way that complements and enables the learning process while others try to bolt on some sort of computer training. I'm not sure we can really generalize this sort of thing and we need to look very carefully at any funded studies to see if they have an agenda.
But i belive in this case this was just a shot to sell their own service, the main question is since its their network are they really ALLOWED to do this?
Sure, just as soon as they give up all their lines using publicly owned right of ways and are willing to no longer be protected from legal action for all the copyrighted material and kiddie porn they republish from router to router. That is to say, when they are no a government mandated local monopoly with special protections and privileges they can stop upholding the responsibilities of a common carrier that requires that treat everyone on their network, including services they offer themselves, equally.
Skype into this relationship? Why is this not a perfectly acceptable competitive advantage offered to a partner?
If Intel is shown to be a monopoly then this is pretty clearly trying to build an artificial barrier to entry and concievably runs afoul a number of antitrust laws in various jurisdictions.
Except that if you read the fine print your ISP more than likely promised you "up to 2MB/s", not a flat, fixed 2MB/s.
Having to read the "fine print" to find out your unlimited connection is not unlimited is called "false and misleading advertising."
I knew Slashdot was mostly garbage, posted by semi-literate idiots, and moderated by anti-authoritarian libertarian anarchist nerds without girlfriends, but this giving this post a '5' takes the cake. Really. Talk about exposing the moderator's agenda!
Then why don't you take your ad hominem attacks and inability to address any relevant points and leave mr. coward?
It personally insults the original poster, by saying "cowards like you make me sick". If you said this type of thing to someone in person, they'd either laugh at you and call you names like God-damn spotty four-eyed pinko America-hating nerd, or they'd punch you in the nose, or they'd do both.
That's funny, I have called people cowards in person for claiming that Americans should act in this cowardly way. None of them have called me America hating or punched me. Being cowards they have all put their tails between their legs and skulked off. You see that is the defining feature of a coward, they act in a cowardly way.
History has not shown that [acting the way the USA is now] will lead to more suffering and pain, in my opinion.
...and you call the average person here semi-literate? Maybe you should actually buy a history book.
but leaving airport security as it was before September 11 2001, and simply allowing the West's (and by extension, America's) enemies to plot attacks at their leisure by not intercepting their communications seems to me dangerously naïve.
When you finish your "hooked on phonics" course you will be able to actually comprehend what I originally wrote. The changes to the security at airports have not increased security as has been demonstrated time and again. Changes that inconvenience people but don't actually increase security are useful for what reason again?
The danger posed by "terrorists" is miniscule compared to the danger posed by our own government.
You'd also better believe that the West has enemies that are plotting attacks. There are branches of Islam that utterly despise Westerners because we don't share their crazy islamo-fascist belief system and social structure, and because we have a lot of geopolitical power. Just ask the Danish.
Sure. There are branches of christianity that hate all easterners because they don't share their crazy christo-facsist belief system. So how does invading a country full of Islamics, killing huge numbers of them, destroying their infrastructure, looting their funds, selling off all their businesses and natural resources, and imprisoning many of them, raping, and publishing pictures of said rape going to solve the problem? Oh wait its not it is going to make it much, much, much worse. Now people have a lot of very good reasons to hate westerners and not just people in the east.
It seems to have become fashionable amongst the extreme left to say that there is no danger from any foreign organisation or state, and that it's the American Goverment that's the big, bad monster (as it always is apparently).
It seems to be a social disease among the ignorant and slow of thought to try to consolidate everyone who disagrees with their moronic assertion into one group (either the right or the left). By your definitions Thomas Jefferson, Benjamin Franklin, and Andrew Jackson were a bunch of leftist, pinko faggots. Our country was founded on the concept that you can't trust a large centralized government and that it is a huge threat to the people it purports to rule. We were commanded to be "eternally vigilant" in watching our government. I guess you did not bother to read that part of the history books huh?
Just take your ignorance and logical car wreck and go back to your political propaganda of whichever flavor you enjoy. You obviously don't have the critical thinking or logic skills to make any useful contributions except as an example of what kids shouldn't let happen to them.
Hum... Well I am currently sitting in the second largest city in Iraq in support of OIF. I work with the Iraqi people everyday. The above statement is based on this persons guesses and media-hyped opinions. Just flaming another person because they disagree with his personal (and not all together educated) view.
Well I'm sitting in the US city with the largest middle eastern population in the country and I hear comments every day. I hear muslim friends from Pakistan, Turkey, and Iraq comment on how much they hate what the US is doing. I heard one who works for the army comment how when his friends back home found out he regularly met with army brass without any real security they jokingly told him he should blow them up. I also hear interviews done by the BBC and other relatively impartial news sources. You hear people complain that they no longer feel safe or have consistent clean water, electricity, education for their children, etc. A lot of people have lost loved ones and a lot of people have fled to other countries. Did you ever think maybe the people who are angry either don't let you know (for any one of many reasons) or don't interact with you?
Your right the system is not perfect and should be replaced by no system at all. NO security is obviously better then bad security... Dumb ass!
This is known as a false dichotomy. It is not either have security or don't. Every change in the security system can have positive, negative, or no effect on security. The changes that have been made don't increase security but do cause inconvenience. Almost every security evaluation has shown this. The inconvenience is a placebo to make people feel safe and is counter productive to everything except misleading the people to get more votes. You see we can increase security. Just making the cockpit inaccessible from the rest of the plane would be a large step, something Israel has mandated for years. We don't, however, make real improvements because that is not the goal of the people passing the laws. Get it?
Even the Democrats say we are. You can rant all you want about that, and it's not going to change.
The democrats are as corrupt as the republicans. A war in the sense that the law allows war powers has nothing to do with a "war on terror" or a "war on drugs." Those are just ridiculous rhetoric.
The entire American intelligence community would revolt if that was the case
I see just as the did under McCarthy and Nixon and during the 50's, 60's, and 70's? Agents follow orders and this same scene has played out and been exposed again and again. The intelligence community does not revolt, usually the press exposes them.
I sincerely wish you could be here to say that to my face, because sir, I would cram those words down your throat.
I seriously doubt it.
you don't take what we're facing seriously, and thus you are most certainly a fool.
Yeah because historically poor people in third world countries halfway around the globe have always been such a large threat to us as compared to the actions of our own government. Oh wait that's not the case? You're an idiot. Buy a history book. The people responsible for 9/11 died on 9/11. They were flying the planes. They were pissed off because of what the US has done overseas and with quite a bit of justification. A lot more people are pissed off now, like most of the world to some degree or another. Ask yourself why we've gone out of our way to invade a foreign country and kill so many people, both civilian and soldier. Why have we made so many needless enemies? Who that had a say in what happened benefits from our having enemies?
We're not at war with terror, we're using terror to control you and cowards like you. Bin Laden is not an enemy of the state, he's a great way to win votes and pass legislation. Want to save america from the terrorists? Lobby for a free firearm and training for every US citizen. Stop the creation of new terrorists by stopping our murders and theft in the middle east.
" Yes" isn't what's on the button. "Yes" is "whatever button approves the action". There's all kinds of things on the button.
Why don't you provide an example of what you're talking about. As near as I can tell you're just making crap up here. First you said they'd click "yes," then that "yes" was an action, and now "yes" is not a button it is something else related to some sort of button with other stuff?
Including "Open" and other "active phrases". The training doesn't depend on the layout or the details of the button. Muscle memory takes over.
Muscle memory applies to finding common locations on a screen. Usually it only applies to the edges of the screen since you can't "memorize" how to go to the middle of the screen from an arbitrary starting point. When a user is not presented with a dichotomy in a formulaic way it does not apply. If dialogues provide multiple options with different wording depending upon the situation how is someone supposed to be trained to click a particular option? Always click the leftmost button? That will provide the desired behavior less than 50% of the time and seems unlikely to train users to do anything by rote.
That's why on the Mac you don't have dialog boxes popping up when you throw files into the trash, like you do on Windows, because routine "are you sure?" dialogs (no matter how they're worded) get ignored.
No, it is because they are unnecessary. You do get a dialogue if you try to perform lots of actions but only when a decision must be made by the user. Because the user has already chosen to throw something in the trash, there is no point asking them again. If, however, a new program wants to access a user's IM buddy list the computer does not know if the user wants that program to have access, so it should ask. If it is a new chat client or contact database, this will not seem unusual to the user. If it is game called "smack the monkey" they might decide they'd rather it does not read their buddy list. Thus the computer should ask.
Stopping and thinking is the key, not what you're stopping and thinking about.
What are you ranting about? The choice is ask users when new programs want to do something suspicious and give them the option to stop it or don't and I think the proper answer is obvious.
It ran a script in the shell using the Terminal as the mechanism to get to the shell.
Yup, but it would have had less chance of doing damage if it had run in a sandboxed shell. I'm not arguing that Safari auto-execution is a good idea, merely that it is not the only problem and an extra layer of security will stop both attacks that use that vector as well as other vectors.
If the commercial application is in a sandbox, then all the data that application uses and needs is in the sandbox, which means that things that matter to the user are still exposed to compromise. And on top of that, now the user has to keep track of which sandbox which applications are in, and manage even more complexity.
Sigh, you're completely missing the point. Every application should run in its own sandbox and have access only to the files, functions, hardware, other software, etc. that it needs. Especially, certain suspicious behaviors should be restricted by default for new applications. If you install a picture editor the OS should ask when it wants to access your images for the first time. It should ask again the first time it tries to access your e-mail address book or the internet or your taxes unless you have specifically granted it the right to view/edit those files
You're better off forgetting that scheme, and go straight to an OS with mandatory access control, and give every application a classification group, rather than trying to reverse-engineer one by playing games with jails and discretionary access control.
ACLs, jails, VMs, it does not matter the sandbox mechanism so long as it is fast and functional. It does need to be user configurable
We are at war. We are at war with a stateless foe that moves from place to place easily.
Bullshit. We aren't at war. You can't wage war on drugs or fear or anything else other than a foreign nation.
The NSA is tracking calls from this foe. This foe calls American phone numbers, and in some cases, American citizens.
What makes you think that? The NSA is spying on americans. maybe they are citizens that are in contact with foreign agents. Maybe they are citizens who donated to Kerry's election fund. We don't know because the administration has refused to obey the law and even get warrants in the top secret court set up for that purpose. We do know they broke the law because they admitted it.
will some of you learned people please tell me why it was good for FDR to monitor communications between Nazi and Imperial Japanese intelligence, and their assets here? All without a warrant, simply because wartime national security took precedence? And why can't Bush do the same?
Well for starters because Bush has declared that we will now and forever be perpetually in a state of war against an abstract concept. This is not an emergency situation, this is the government intentionally breaking the law and spying on its own citizens during peacetime. Terrorists are not a threat compared to an enemy nation that is conquering large parts of the world. More people die every week in car crashes than died in 9/11. What's next a war on car crashes to justify tracking where each and every car goes all the time?
You cowards make me sick. Someone yells "boo" and you look for anyone to protect you and take care of you, even if it is the one person history has shown you should never trust, the career politician who chose to devote their life to a world of lies and gaining power over others. You know what violent crime and terrorism are much less in Japan. Why don't you just move while those of us who still believe in freedom and courage stay here and face all these big, bad terrorists.
Those who fear the government... Are doing something illegal.
What about those who fear, and have been proven correct repeatedly that individuals within the government are the ones doing something illegal? What is it about the government that makes you think anyone elected or assigned to a post within it should immediately be able to commit crimes?
I am completely fine with government doing what is reasonably neccessary to protect me even if my phone conversation with my ji-had buddies is being listened in on.
And you can provide what assurances that this what they are doing instead of illegally spying on political opponents and blackmailing other government officials as has happened every other time a government agency has lost transparency?
I know that we should have freedoms, but in a post 9-11 age, there is certain information that should not be released for the public to have. This is why we elect government officials. I love freedom, but I am willing to give some up if it means my wife and daughter are safer as a result.
What makes you think your family is any safer? They are already about as likely to die by accidentally drowning in a bucket as by being killed by terrorists. The risk of terrorists is statistically negligible and the actions taken by the administration seem mostly to be PR. People are forced to stand in extra long lines at the airport so they can feel safe but investigative reporters can still sneak anything they want on board and random people accidentally board while wearing six inch hunting knives they forgot about. What makes you think that anyone is even trying to make your family safer? More successful attacks result in more fear and more opportunities for bureaucrats to expand their power and make money. Hell Iraq is the fastest way conceivable to make terrorists who hate the US. We've done everything possible to create angry, frightened people with nothing to lose and an unbelievable hatred of the US.
Cowards like you make me sick. You cringe in fear at a PR campaign and willingly give up all the freedoms your ancestors fought for in the hopes that someone else will protect you, even though they have no reason to do so. If you want to be a coward at least be a smart coward and act in ways that might protect you, rather than ways that history has shown will lead to more suffering and pain.
Umm, the guys who write Web development tutorials for Apple are probably not the same guys that code the OS and applications. This tutorial wasn't actually written by Apple, they are just distributing it. You know the guys in finance are still working on accounts and haven't stopped to try to fix bugs in code either. I've been annoyed by Apple's weird handling of metadata versus extensions since they announced it but you are way off base in complaining about this as if it had some relation to security issues.
I agree they should have tighter permissions there, but for a single-user system there's really no difference to the exposure from /Applications or ~/Library.
Perhaps, perhaps not. It is certainly a lot easier to infect existing applications when you actually have access to modify those application in their default location.
I didn't say they clicked "OK", I said they clicked "yes". That "yes" could be (and IS) just as often an action (like "Open") as not.
"Yes," is not an action. Actions are verbs or active phrases. A user can become conditioned to always click on "Yes." A user can just not read a dialogue box and click "yes" under the assumption that it will make things work. It is a violation of Apple's HIG and with reason. Here are two sample dialogues:
Something something something (Yes)(No)
Something something something (Open)(Don't Open)
The latter example is a good design because even without reading the dialogue the buttons convey information and are actions. You know you are opening or not opening something. Also, due to the psychology of human/computer interaction most people are a lot more likely to read the text in the latter example. Ideally the buttons would actually be more explicit and provide even more information, but I'm sure you get the idea.
No, the first LaunchServices failure was in 2004
Ahh, you're talking about the old vulnerabilities, not exploits. I was referring to the most recent three pieces of malware, which were droppers/trojans for the most part. In any case to take the most recent example, it automatically ran a script in the terminal. That script should have been sandboxed (well it should not have been run in the first place but assuming it was due to this vulnerability or being a trojan) and should not have been able to do much of anything without the user being warned of the new script and given the option of allowing or stopping specific actions of that script.
No, they would like that ability, but I can't see any way to give it to them without radically changing the way modern games work. They need network access, they need significant amounts of persistant storage. They need to be able to download and install updates. Taking that away is just not going to happen.
There are certainly pain points. Some games need internet access and some don't but very few need to send e-mail or IMs or need access to any files outside a sandbox. There is no reason they should be restricted from writing files, so long as those files reside within the sandbox and don't overwrite anything. As for updates, well that and registration can be solved by building an official OS service for updating and registering that follows specific formats and is not restricted by default. There is a lot of low hanging fruit here that can be gathered. Just restricting access to e-mail addresses and IM buddy lists would stop a whole class of spam motivated malware.
Today, the only apps you get that way that aren't otherwise verified and checksummed are pirated games on peer-to-peer networks, and it's easy enough for the user to avoid that. People who download files from the original author's site don't have that problem. If the file is infected, then they KNOW where it came from.
That is not so, actually. There is plenty of spyware in particular that is distributed to the unknowing. There are open and closed source products that someone adds a backdoor into. There is commercial applications that want more permission to do things than users want (like randomly calling home and sending unknown data). And there are traditional worms and viruses that auto-install themselves through some hole in the firewall or service. All of these are executing code that would be a lot better for the user if it was in a sandbox.
Get rid of automatic execution paths that can get code injected into them, and reduce the problem to education, and the virus problem will remain, at wor
It's been demonstrated time and time again that a barrage of dialog boxes will not solve the problem.
No, it's been demonstrated that really poorly crafted dialogue boxes that the average person can't understand, always provide the same two choices, and don't give the user the option to select what they need does not work well. I think anyone who has ever read a book, taken a class, or practiced UI design or usability could have told you that without ever seeing the system in action. Just because the implementation in Windows is horrible does not mean it cannot be done right.
The user either a) figures out the appropriate set of yes/no answers to get the result they desire (ie: running the program)
First, you don't give them "Yes/No" answers. You give them buttons with actions on them like "Don't let it read my e-mail address book." Secondly, the whole point is for them to get the result they desire, but they have to be told what is happening and given the option to actually do what they want.
Here's a little story. Back in the day everyone would get Word files with macros in their e-mail. When you opened such a file you'd get a warning that said something like, "Warning this file has macros enabled and may contain a viruses (OK)(Cancel)." I know managers who would have paid thousands of dollars to anyone who could add a third button to that warning dialogue that said, "(Open the file but don't run any macros)." Eventually MS did add such an option, but the problem this demonstrates is not that dialogue boxes suck. The problem is the user was not given the control they needed.
Right now most users face this same decision. you can install an application and trust it with your internet connection, personal files, contacts, full control of your hardware, and all your keystrokes or you can just not use the software. Users want and need a third option to "run the program but don't let it screw anything up." Uncle bob wants to run some game, but he wants to do it safely. And really how often is he going to install a program that he does want to have access to his kernel, address book, and internet? So often that an extra dialogue box is going to be a huge pain?
b) gets so frustrated with the "broken software that won't let me do anything" they move to some other product that doesn't have the same "problems".
If the software won't let him do anything or is getting in his way unnecessarily then it is poorly designed. Defaults should be set for the most common cases. I don't think users will be upset if they get a dialogue box warning them, in plain and understandable English the first time a new program tries to access their buddy list and asks if they really want that program to have access. Ditto for editing files created by other programs, modifying the OS or other programs, accessing the e-mail address book, sending e-mail, etc. The vast majority of the activities that people make trojans to do are things users very rarely want to do and thus double checking on them will not get in the user's way. In fact, I think most will be happy to understand their computer for a change and be reassured that their computer is not letting just anything do anything it wants.
Anyway, all the pre-installed software will already have their access configured so the only possible pain points are for third party add-ons. In which case maybe a user will migrate to a different program that does not throw up lots of dialogues. That is a good thing, it means the software is not behaving in ways it should not behave in the first place. I already avoid userspace software that wants to write kernel modules and contact random IP addresses in Europe (I'm talking to you Adobe). Informing users and giving them control will help make for better software because it will make for more informed consumers.
Basically I disagree that dialogue boxes cannot be well implemented and I disagree that this would inconvenience users as much as you seem to think it would. Users don't have the control they need or the info and option to exercise that control. Until they do, trojans will spread because users have to make uninformed guesses.
Laws never have anything to do with the 'stated purpose' of the political hack that is putting it forward.
I'm talking about the stated purpose as written in the laws themselves, not what some politician happens to have said about them. You might note I suspect there was some copy/paste going on since the laws from several states are very similar.
I think we're mostly on the same page, but I think OS's should be improved to make users safer, while you are arguing more for education (something I think is just too complex for the average couch jockey given the state of the art). I honestly think that if not for the Windows monopoly OS's would have implemented this sort of control years ago to give average users the option to "run the dumb game without letting it fuck anything up." I agree that java/flash etc. are part of the way there, but it needs to be taken the rest of the way. The OS needs to have the UI built to let users actually control the sandbox and all programs need to run in it by default. I'm not talking about taking control away from users, I'm just talking about giving them more finely grained control and the information they need to use it within the UI.
This isn't an "Administrator" problem, this is a "default permissions are too wide open" problem.
Call it what you want. The default user account most users will use has too many permissions. Obviously these can be changed, but that does not help the problem as anyone savvy enough to change their permissions is not likely to be using the default admin account for normal use anyway.
That's not as significant a problem as it seems, because there's plenty of places an application without write access to /Applications or /Library can hide.
The problem isn't that they can hide, it is that they can overwrite/modify commonly used and trusted applications and user settings.
This is the same "last minute" security that Microsoft has attempted to use for years and failed miserably at. The main thing it does is condition people that when they do stuff on their computer, it brings up annoying dialog prompts all the time, and you need to approve stuff. These "false positives" on Windows happen far too often, and I can't tell you the number of times I've had to repair or re-image somone's computer because they'd automatically clicked "yes" by reflex.
The Windows implementation is abysmal and stupid, that does not mean they all have to be. Windows users click "OK" all the time because they are conditioned to. Apple's HIG and most anyone with a clue will tell you that you need to provide buttons that are actions, thus the user has to read them and can't be conditioned to act on reflex. They also need to build dev tools and encourage coding practices that encourage properly behaving applications. You don't throw up a dialogue that says, "CoolGame is connecting on port 22 (OK/Cancel)." You display something like, "The program 'CoolGame' wants to access the internet in a way usually used to log into the command line (Stop it from connecting to the internet)(Allow it to connect to the internet)(Open Advanced Config Options)."
this wouldn't have helped prevent ANY of the three failures of Safari's use of LaunchServices, because none of these attacks involved new applications.
What? They all involved new executables launching. Just because Safari launched them (in two cases) or a user manually launched it does not matter. All new executables should live in a jail unless an expert user goes out of their way to install them outside of one.
When trojans were almost the only type of attack users needed self-control, and the way to create it isn't to bombard them with pointless fire drills... it's to shut down ANY mechanism designed to be "helpful" by auto-executing anything except plugins and helpers designed for security through a secure path.
No the way is to give them the control and information they need. If the average user wants to play a game they need the ability to do that without gambling that it won't compromise their system. Having to choose between completely trusting an application or not using it is not acceptable to users and that is the choice most users have today.
Things like jails and improved permissions are useful, but by the time they're necessary the battles more than half lost.
People will download and run executables for one reason or another. They need good jails/VMs/ACLs so that they can do so safely and they need good default restrictions on those so that exceptions become obvious. This could result in tons of unnecessary warning is developers insist on asking for more permissions than they should have (and some will) but those application developers will lose out in the market because users will find clicking through and adding permissions to be a pain and because they will learn to not trust those applications. If your program phones home, users will know. If it installs hidden files in crazy places, they'll know. If it patches the kernel to add a copy protection mechanism, they'll know.
Getting buy in from developers is a hurdle, but
Go read the whistleblower statutes. You're incorrect.
Actually, I have read them both for this state and several others. I was speaking of the stated purpose of the whistle blower statutes, which I was paraphrasing. The details of the implementations may or may not actually do that, but the majority of them state that the purpose is to protect the interests of the people by offering protection for those who act in the interests of the people when that interest is in exposing government corruption, public health dangers, and other topics of great concern to the populace.
The Mac OS X "admin" user is a regular user account, it's nothing like "Administrator" on Windows or "root" on UNIX. Unless you SU to a real admin account (which is what you're doing when you type in your password to a security dialog) the OS doesn't give you any more rights than any other user.
You are misinformed. The first account you create is an administrator. It can do a number of things without being prompted for a password that regular users cannot. This includes writing to the global Applications and Library folders, which one of the recent pieces of malware (Leap_A) takes advantage of. This means most users(who are admins) will not be prompted for a password to say modify or overwrite iTunes.
The default permissions for new applications give them no more rights than the user running them.
Which are far too many. A user can obviously read their own address book, buddy list, send e-mail, send IMs, transfer files, access the internet, or delete everything in their user directory. That does not mean a "game" you download from the internet should be granted these privileges by default. New applications should placed in a jail or VM and only granted any of the above privileges after the user is asked. Most malware these days requires no human intervention, but eventually that may change. When trojans become the most common type of attack users will need more control and it is better to build it now and get it well tested, than to wait until it is a really big problem and companies have decided to solve it in a less useful way (think MS controlled white-list of programs with accompanying tollbooth fee).
Of course, `common sense' isn't really that common, among Mac or Windows users. This .exe/.sit file that somebody mailed me lets me play elf bowling? Give me some of that!
I take exception to this. There is no reason at all using a properly developed OS the average user should not be able to run a random game from the internet without their machine being compromised. Users can be the weakest link in the security chain but you have to give them the proper tools before it comes to that. When a user downloads some random executable and runs it the OS should warn them it is an executable, but it should also quarantine that program in a VM or similarly restrict it. I mean how often do you download something at random and want it to access the internet, be able to access your personal files without permission, log keystrokes from other applications, overwrite other programs, or modify the OS in a significant way? Whenever a new program wants to do any of these things the user should be prompted and given the option to allow or disallow the behavior and it should be presented to them in plain language and with real options (not OK/Cancel). Build that functionality into the OS first, then provide a small amount of education. If users still screw up you can complain that they have no common sense.
Honestly, I get annoyed when users do dumb things too, but they should not have to be experts to do common tasks. In reality most OS's these days do a piss poor job of providing users with the functionality, control, and information they need. OS X may be a little better than Windows in this regard, but it is nowhere near good enough. The main reason it seems well done is because it is standing next to the poster child of easy compromises. There are real improvements that need to be made and probably would have been made by now if progress had not been brought to a crawl by a certain monopoly.
User education is important, but it should be a two hour course if users are given the proper tools, not a four year degree to be a harder target than the average.
As far as I know the only exploits in the wild involving OS X have been social engineering attacks... trojan horses convincing people to execute programs. These aren't security holes.
Actually, I disagree with this one. An installer that configures an admin user and does not prompt the user to create a regular user account is a security hole. Default permissions for new applications that permit them to modify existing applications without warning are a security hole. Of course since these security holes exist as a matter of course in pretty much all OS's (maybe not bastille linux, or some other rare secure OS variant) so they are rarely looked upon as such. I see your point though. They are not holes as many people would think of them and not in the same way as one would think of a Windows security hole.
I see Apple's mistake as being to offer the "Open Safe Files After Download" feature.
Well, that is part of the problem, but not the most serious problem, IMHO. The main problem is that an executable file type can disguise itself as data. This is due to a pragmatic but dangerous decision made by Apple. In OS 9 Apple relied upon metadata stored within a program to determine what it was (data type and or application). In OS X they reverted to the more crude file extension to store the type of data or executable. This introduced a number of problems including hiding extensions and the old "foo.jpg.exe" type obfuscation. Even more dangerously because of the OS 9 compatibility requirements it provided two completely different means of identifying file types which could be contradictory and invisible to the end user. Switching to using extensions was practical even if it was backsliding. Keeping the old method for compatibility was practical as it allowed old software to still run cleanly. The conflict, however, now needs to be resolved. Turning off "open safe files" by default is probably the right behavior, but it is no where near as serious as the other problem this highlights.