The little arrows aren't spying. This has nothing to do with the little arrows. And besides, I've changed the little arrows so they take me to the full set of that album, or that artist's work.
This is the equivalent of TextEdit automatically searching the Internet for the name of the document file you just opened.
Anything that phones home about stuff on my computer without telling me is bad, in my book. Apple didn't put my music on there (except for the few iTMS tracks); it doesn't deserve to know about them unless I choose to tell it.
Here is what Software Update says about the update:
"With iTunes 6, you can preview, buy, and download over 2,000 music videos and hit TV shows on the iTunes Music Store and sync your music and purchased videos with iPod to enjoy on the go. To watch purchased videos, you must have QuickTime 7.0.3 or later and Mac OS X 10.3.9 or later.
"iTunes 6.0.2 includes stability and performance improvements over iTunes 6.0.1.
"Note: After purchasing music from the iTunes Music Store with iTunes 6 or later, you will also need to upgrade your other computers that purchase music from the iTunes Music Store to the latest version of iTunes."
I never read the EULA on my updates; does anyone? Nevertheless, here's what the EULA I got before I downloaded the update says about iTMS:
"4. iTunes Music Store and other Services. This software enables access to Apple's iTunes Music Store which offers downloads of music for sale and other services (collectively and individually, "Services"). Use of the Services requires Internet access and use of certain Services requires you to accept additional terms of service which will be presented to you before you can use such Services."
Perhaps I missed it in all the legalese, but I couldn't find anywhere that it said anything about phoning home about music on my computer.
Oddly, the EULA I got after I installed the update and started iTunes is...different. DIFFERENT. Though both are titled "Software License Agreement for iTunes." WTF? I say again, WTF? However, I still wasn't able to find anything about phoning home.
I start iTunes. I see a pane at the bottom of the screen with iTMS stuff in it. So what? I click a track to start playing. It phones home, retrieves the information, and tells me what others who listen to Joan Jett & the Blackhearts also purchased.... Um. I didn't see any changes to my iTMS Terms of Service.
No, I don't think I was given any reasonable warning that iTunes' behavior had changed, and it was now telling Apple about music on my computer.
It does seem that Apple has been very careful in setting this up, technically, so that information on individuals is not stored or tracked. That's good. If I were given the choice, I might choose to let iTMS track my music in the hope of getting more obscure depressing Irish folk music online. However, in this case, virtue is not enough. They also need the appearance of virtue, and this they sorely lack.
And I'm still confused about the EULAs. Perhaps the morning will make it clear.
Apple screwed up: this is unquestionably spyware, because it's not clear before you install that this is going on, it was slipped into a regular update, etc. I'm definitely a Maccy, but I won't serve as an apologist for this. It's wrong. Period.
That said, it doesn't appear to be malicious. It's very easily turned off and that doesn't seem to disable any function that isn't directly related. They're not hiding what they're doing as they do it.
I'd chalk this up to stupidity and poor communication. It doesn't seem like they were really trying to hide anything, just that they didn't think, "Hey, maybe I should be extra-specially-clear and disclose this." The tech people weren't talking to the marketing people; what a shock.
I'd hope for a quick mea culpa and clarification of the service. Perhaps, when you start the updated iTunes for the first time, a dialogue box could pop up and say, "Hi! Want me to tell the iTMS what song you're playing? Then I can make recommendations for you! [Yes] [No] [Bite me]"
You're begging the question of whether the Major Internet Worm/Virus is the main thing worth patching to avoid. I'm not sure that's the case; most vulnerabilities are used in a variety of exploits, and the major malware is just the one that makes the most headlines. Also, most of the ones you mention already had patches available; they weren't zero-day exploits precipitated by "usually well meaning security researchers."
I appreciate that you've said you need more data, but I think you actually need a lot more data than you seem to realize. Your rhetoric ("glory of a 0-day exploit") seems to be pushing for a conclusion that is not yet warranted.
There are researchers who publish too fast. There are also vendors who take way, way too long to do anything about vulnerabilities.
No, it didn't hurt. But in a few weeks, Spielberg will transform into DRM-Man, a superhero who can crack DES keys in his head, spin thousands of times a second in place, and spoof anyone's biometric credentials! He is dedicated to wiping out piracy everywhere in the world!
...Thus increasing global warming. The next chapter has a battle between DRM-Man and the Flying Spaghetti Monster!
"I think webmail will soon be replacing client side readers for all but power users."
Small businesses may be willing to switch to webmail. Large businesses will not. They just won't put their mail on someone else's servers, for many reasons -- security, legal requirements, contingency planning, etc. Nor are they going to develop their own webmail solution when Notes or Outlook or whatever already work with current business processes. Email clients are important and will continue to be important.
Honestly, I think they're mostly just worried about work productivity.
My work blocks a lot of things. Not slashdot, obviously.... But it does block access to my home email, as well as the one site I use all the time. Because I am not able to access the pure crack of my additiction, I waste far more time just keeping my endorphin levels up with inferior distractions. If they just let me do what I wanted, I would be able to keep them up with much less time wasted!
"Perhaps the only security company that deserves praise is F-Secure, the first and the loudest critic of Sony's actions. And Sysinternals, of course, which hosts Russinovich's blog and brought this to light."
F-Secure has been very upfront throughout that they were trying to work with Sony on this. A month is certainly ok, especially given how deeply this hooks into the system. Releasing the information with a working, non-system-exploiting removal tool would have been much better all around, and they were entirely responsible and reasonable to try to do that.
(Russinovich was also entirely responsible and reasonable to publish, too. There is Irresponsibly Fast Full Disclosure, Responsible Full Disclosure, Irresponsibly Slow Full Disclosure, and No Disclosure. It's a continuum. Both F-Secure and Russinovich were, imo, inside the Responsible Full Disclosure window.)
I disagree. I think F-Secure did great. I also think Mark Russinovich did great.
I think that it would have been much better if the news could have broken with a worken, well-engineered patch. This is always preferable. F-Secure was trying to make this happen. A month is not a long time. Yes, a lot of people were infected in that month; but a lot of people were infected anyway. F-Secure did a right thing.
On the other hand, Russinovich also did a right thing. This software was not a mistake; it was deliberate. People were getting infected and had no idea. Clearly, people should know about this. Clearly, the corporation did not give a rat's ass about their users.
I like responsible full disclosure: give the maker time to fix it, and publish with a patch when possible. But don't allow eternal "patch development," and make sure disclosure happens. There is room for disagreement among people of good will and high ethics.
Sony need not apply to that group,though.
Repeat after me: That is not autorun.
on
KDE 3.5 Released
·
· Score: 4, Informative
That is not autorun. K? Got it? Try again.
The problem with Windows autorun is that it automatically ran untrusted code from the CD you just put in. This appears to let you automatically do something using the trusted code on your own computer. That's what OS X does, and it's fine.
There is a BIG difference between opening the CD ripping app on your computer, and opening some random app on the CD itself. If the CD ripping app on your computer is a Trojan, it's on your computer and you're already rooted. This is no more dangerous than a script you write yourself to call applications on your own computer.
If KDE allows the CD maker to point to a random file on the CD and say "Run me!" then they deserve all the scorn one can pour upon them. But if the computer just says, "Hmm, I see a bunch of audio files! I will open my trusted audio application!" then it's a timesaver and not a major risk. (Ok, there might be some exploitable overflows in the code that does this, but that can happen anywhere.)
While there are always some things you have to memorize, organic chemistry is often taught as a laundry list of reactions. It can be very hard to figure out how the reactions relate.
It's the difference between the white pages of the phone book, and the yellow pages. White pages = memorizing every freaking reaction. Yellow pages = finding some system for categorizing them.
The system in organic chemistry is "electrons flowing from source to sink." The electrons just roll downhill. This adds some memorization -- I _still_ know some of the electronegativity numbers for organic elements, and I haven't done chemistry in five years -- but allows you to figure out what a reaction will be, in many cases.
Ozone reactions, on the other hand, just are. You definitely have to memorize those.
(New, the book is overpriced. Even the author thinks so -- he was complaining back when they raised the price to $30, and now it's $50. So get it used and send him a nice email if it helps.)
I just went through the local public library system. They had 13 of the CDs. And 39 current holds on them, total. I'm going to ask what the total circulation has been and then write my local Attorney General.
Well, then, why didn't they say, "We can't do anything yet because this is nasty. We are working on a fix."
Instead, they're saying the DRM software that hijacks your device driver is legitimate, and the rootkit was really only kinda bad because it hid legitimate software....
WriteNow still works on my Tiger iBook. In classic mode, true, but it works. I don't actually use it any more (I wrote a book, editor wanted track changes and magic macros, I cracked), but it works.
"How can you be in infosec and use a Mac?" WTF?
on
Bad Day To Be Sony
·
· Score: 1
I'm really not sure why you think your statement follows.
1. Being able to secure XP is not the same as being willing. 2. Working in infosec does not necessarily mean working with MS products. 3. Working with MS products is not the same as securing XP. 4. What one works with is not necessarily the same as what one uses personally. 5. What one works with is not necessarily the same as what one wants to use, personally.
Slashdot Mirror
The little arrows aren't spying. This has nothing to do with the little arrows. And besides, I've changed the little arrows so they take me to the full set of that album, or that artist's work.
This is the equivalent of TextEdit automatically searching the Internet for the name of the document file you just opened.
Anything that phones home about stuff on my computer without telling me is bad, in my book. Apple didn't put my music on there (except for the few iTMS tracks); it doesn't deserve to know about them unless I choose to tell it.
Here is what Software Update says about the update:
"With iTunes 6, you can preview, buy, and download over 2,000 music videos and hit TV shows on the iTunes Music Store and sync your music and purchased videos with iPod to enjoy on the go. To watch purchased videos, you must have QuickTime 7.0.3 or later and Mac OS X 10.3.9 or later.
"iTunes 6.0.2 includes stability and performance improvements over iTunes 6.0.1.
"Note: After purchasing music from the iTunes Music Store with iTunes 6 or later, you will also need to upgrade your other computers that purchase music from the iTunes Music Store to the latest version of iTunes."
I never read the EULA on my updates; does anyone? Nevertheless, here's what the EULA I got before I downloaded the update says about iTMS:
"4. iTunes Music Store and other Services. This software enables access to Apple's iTunes Music Store which offers downloads of music for sale and other services (collectively and individually, "Services"). Use of the Services requires Internet access and use of certain Services requires you to accept additional terms of service which will be presented to you before you can use such Services."
Perhaps I missed it in all the legalese, but I couldn't find anywhere that it said anything about phoning home about music on my computer.
Oddly, the EULA I got after I installed the update and started iTunes is...different. DIFFERENT. Though both are titled "Software License Agreement for iTunes." WTF? I say again, WTF? However, I still wasn't able to find anything about phoning home.
I start iTunes. I see a pane at the bottom of the screen with iTMS stuff in it. So what? I click a track to start playing. It phones home, retrieves the information, and tells me what others who listen to Joan Jett & the Blackhearts also purchased.... Um. I didn't see any changes to my iTMS Terms of Service.
No, I don't think I was given any reasonable warning that iTunes' behavior had changed, and it was now telling Apple about music on my computer.
It does seem that Apple has been very careful in setting this up, technically, so that information on individuals is not stored or tracked. That's good. If I were given the choice, I might choose to let iTMS track my music in the hope of getting more obscure depressing Irish folk music online. However, in this case, virtue is not enough. They also need the appearance of virtue, and this they sorely lack.
And I'm still confused about the EULAs. Perhaps the morning will make it clear.
Apple screwed up: this is unquestionably spyware, because it's not clear before you install that this is going on, it was slipped into a regular update, etc. I'm definitely a Maccy, but I won't serve as an apologist for this. It's wrong. Period.
That said, it doesn't appear to be malicious. It's very easily turned off and that doesn't seem to disable any function that isn't directly related. They're not hiding what they're doing as they do it.
I'd chalk this up to stupidity and poor communication. It doesn't seem like they were really trying to hide anything, just that they didn't think, "Hey, maybe I should be extra-specially-clear and disclose this." The tech people weren't talking to the marketing people; what a shock.
I'd hope for a quick mea culpa and clarification of the service. Perhaps, when you start the updated iTunes for the first time, a dialogue box could pop up and say, "Hi! Want me to tell the iTMS what song you're playing? Then I can make recommendations for you! [Yes] [No] [Bite me]"
You're begging the question of whether the Major Internet Worm/Virus is the main thing worth patching to avoid. I'm not sure that's the case; most vulnerabilities are used in a variety of exploits, and the major malware is just the one that makes the most headlines. Also, most of the ones you mention already had patches available; they weren't zero-day exploits precipitated by "usually well meaning security researchers."
I appreciate that you've said you need more data, but I think you actually need a lot more data than you seem to realize. Your rhetoric ("glory of a 0-day exploit") seems to be pushing for a conclusion that is not yet warranted.
There are researchers who publish too fast. There are also vendors who take way, way too long to do anything about vulnerabilities.
No, it didn't hurt. But in a few weeks, Spielberg will transform into DRM-Man, a superhero who can crack DES keys in his head, spin thousands of times a second in place, and spoof anyone's biometric credentials! He is dedicated to wiping out piracy everywhere in the world!
...Thus increasing global warming. The next chapter has a battle between DRM-Man and the Flying Spaghetti Monster!
You can set your default to plain text; that works, too.
I'm dying to know... What percentage of the code is commentary?
And are there any haiku?
"I think webmail will soon be replacing client side readers for all but power users."
Small businesses may be willing to switch to webmail. Large businesses will not. They just won't put their mail on someone else's servers, for many reasons -- security, legal requirements, contingency planning, etc. Nor are they going to develop their own webmail solution when Notes or Outlook or whatever already work with current business processes. Email clients are important and will continue to be important.
Honestly, I think they're mostly just worried about work productivity.
My work blocks a lot of things. Not slashdot, obviously.... But it does block access to my home email, as well as the one site I use all the time. Because I am not able to access the pure crack of my additiction, I waste far more time just keeping my endorphin levels up with inferior distractions. If they just let me do what I wanted, I would be able to keep them up with much less time wasted!
Your problem is easily solved. Store temperatures in Kelvins. No 0....
Remember the seasonal reference!
Begin declaring
Global integers, constant
As the winter rain
Check for null values
That will cause problems later
Cherry blossoms fall
No, that's not what he said.
"Perhaps the only security company that deserves praise is F-Secure, the first and the loudest critic of Sony's actions. And Sysinternals, of course, which hosts Russinovich's blog and brought this to light."
F-Secure has been very upfront throughout that they were trying to work with Sony on this. A month is certainly ok, especially given how deeply this hooks into the system. Releasing the information with a working, non-system-exploiting removal tool would have been much better all around, and they were entirely responsible and reasonable to try to do that.
(Russinovich was also entirely responsible and reasonable to publish, too. There is Irresponsibly Fast Full Disclosure, Responsible Full Disclosure, Irresponsibly Slow Full Disclosure, and No Disclosure. It's a continuum. Both F-Secure and Russinovich were, imo, inside the Responsible Full Disclosure window.)
I disagree. I think F-Secure did great. I also think Mark Russinovich did great.
I think that it would have been much better if the news could have broken with a worken, well-engineered patch. This is always preferable. F-Secure was trying to make this happen. A month is not a long time. Yes, a lot of people were infected in that month; but a lot of people were infected anyway. F-Secure did a right thing.
On the other hand, Russinovich also did a right thing. This software was not a mistake; it was deliberate. People were getting infected and had no idea. Clearly, people should know about this. Clearly, the corporation did not give a rat's ass about their users.
I like responsible full disclosure: give the maker time to fix it, and publish with a patch when possible. But don't allow eternal "patch development," and make sure disclosure happens. There is room for disagreement among people of good will and high ethics.
Sony need not apply to that group,though.
That is not autorun. K? Got it? Try again.
The problem with Windows autorun is that it automatically ran untrusted code from the CD you just put in. This appears to let you automatically do something using the trusted code on your own computer. That's what OS X does, and it's fine.
There is a BIG difference between opening the CD ripping app on your computer, and opening some random app on the CD itself. If the CD ripping app on your computer is a Trojan, it's on your computer and you're already rooted. This is no more dangerous than a script you write yourself to call applications on your own computer.
If KDE allows the CD maker to point to a random file on the CD and say "Run me!" then they deserve all the scorn one can pour upon them. But if the computer just says, "Hmm, I see a bunch of audio files! I will open my trusted audio application!" then it's a timesaver and not a major risk. (Ok, there might be some exploitable overflows in the code that does this, but that can happen anywhere.)
Stable overlords? Now that's a GREAT idea! I'm getting tired of the unstable nutjob kind.
While there are always some things you have to memorize, organic chemistry is often taught as a laundry list of reactions. It can be very hard to figure out how the reactions relate.
It's the difference between the white pages of the phone book, and the yellow pages. White pages = memorizing every freaking reaction. Yellow pages = finding some system for categorizing them.
The system in organic chemistry is "electrons flowing from source to sink." The electrons just roll downhill. This adds some memorization -- I _still_ know some of the electronegativity numbers for organic elements, and I haven't done chemistry in five years -- but allows you to figure out what a reaction will be, in many cases.
Ozone reactions, on the other hand, just are. You definitely have to memorize those.
Paul Scudder's Electron Flow in Organic Chemistry is the textbook you want. It's all about electrons going from source to sink.
(New, the book is overpriced. Even the author thinks so -- he was complaining back when they raised the price to $30, and now it's $50. So get it used and send him a nice email if it helps.)
I just went through the local public library system. They had 13 of the CDs. And 39 current holds on them, total. I'm going to ask what the total circulation has been and then write my local Attorney General.
Um, after Thanksgiving....
Tell that to the anti-full-disclosure people. They can't create patches given years!
This rootkit was designed to hide a legitimate application, but it can be used to hide other objects, including malicious software.
McAfee(R) AVERT(tm) recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application.
Microsoft is only removing XCP, not the DRM. I haven't been able to find any statements from Microsoft regarding the DRM at all.
Norton Internet Security 2005 AntiSpyware Edition
McAfee AntiSpyWare 2005
Microsoft Windows AntiSpyware (Beta)
This is their business. Period.
Well, then, why didn't they say, "We can't do anything yet because this is nasty. We are working on a fix."
Instead, they're saying the DRM software that hijacks your device driver is legitimate, and the rootkit was really only kinda bad because it hid legitimate software....
No, no, letters would be Creative Commons.
My favorite Clippy quote along these lines is, "It looks like you're writing a love letter. Can I read it?"
WriteNow still works on my Tiger iBook. In classic mode, true, but it works. I don't actually use it any more (I wrote a book, editor wanted track changes and magic macros, I cracked), but it works.
I'm really not sure why you think your statement follows.
1. Being able to secure XP is not the same as being willing.
2. Working in infosec does not necessarily mean working with MS products.
3. Working with MS products is not the same as securing XP.
4. What one works with is not necessarily the same as what one uses personally.
5. What one works with is not necessarily the same as what one wants to use, personally.