Is Secrecy Apple's Biggest Problem?

From the article:
"1 Infinity Loop, the company's Cupertino, California, headquarters. Like its pretentious address, Apple's haughty attitude simply annoys people."

Um. It is One Infinite Loop, not Infinity, and that is an electrical engineer's joke. Look it up if you're curious. It's not a haughty attitude - it's an inside joke. Geez.

I actually agree that Apple could open up more on some things. As far as pre-announcing products, just look at what happens to innovators who pre-announce: their competitors seize on some obvious statistic about it, make a junky copy before the real thing is released, and claim they beat the innovator at their own game. Example: Google's GMail. They are going to offer 1 GB of email storage, but even more importantly, they are going to have a MUCH better interface. Of course, Yahoo, Hotmail etc are all upgrading their storage quotas before GMail even is publicly released. How many of them are doing the most important thing: making it easier to use? No one, and yet they are going to probably successfully steal a lot of Google's thunder, since most journalists are too lazy to explain why GMail is still much better - one single number is not the whole picture.

Mac OS X Security Hole

Sander Tekelenburg has written a great description of the issues involved in the Mac OS X URI Handler Arbitrary Code Execution security hole. The new "help protocol" security hole is a serious one. I've written before to debunk the stupid exaggerations of the Trojan Horses recently released. Those amounted to "don't run bad programs - bad programs can do bad things."

This "help protocol" problem is serious - it can affect a Mac user who has done nothing more foolish than visit a web site. Not just dangerous ones either. People could easily post links to dangerous sites on forums and deceive people into clicking those links.

Apple better fix this quickly. In the meantime, there are several fixes available. A bunch are discussed at MacOSXHints.com. It doesn't sound like Don't Go There GURLfriend does enough. Either manually reset the help protocol handler and disable "open safe files" or use something that does more than just modify the script containing the flawed code.

Intego attacks Mac OS X

Fear-mongering software maker Intego has done it again: taken the obvious idea that you should not run applications whose contents you cannot trust and turned it into a supposed "security threat." Come on, Intego, Apple has real security issues to take care of, without having to figure out a way to prevent a user from deleting his own files. The most telling quoted from Intego:

"This Trojan horse highlights a serious weakness with Mac OS X. Since it is built on a Unix foundation, it can run powerful commands very easily. These commands can delete or damage a user's files with no warning, and AppleScript offers no protection against malicious commands."

Ah, yes, the horrible dangers of being able to delete your own files.

This has nothing to do with the capabilities of AppleScript, the command line, or anything. You could write an application that did this using: BASIC, perl, Pascal, C, C++, Objective-C, python, ruby, bash-shell, c-shell, zsh, tcsh, ada, AppleScript, lisp, scheme, Java, and just about another language that has the ability to make file system calls.

This is just a simple reminder that you should NOT run applications that you don't know are safe. Anyone could write a "trojan horse" for any platform that does this. Programs routinely have the ability to delete files and/or folders - they need to. Something like this could be written for any operating system, and if the user is dumb enough to run it, there is nothing you can do.

Do you want to verify every time your web browser decides to clear old files from its cache?

Intego is outright lying when they say this exposes a "serious weakness in OS X." Yeah, the weakness of letting a user delete his own files. Perhaps you should be forced to save all files onto CD. None of this crazy read-write media for you.

Apple may even have grounds to sue for damage to business. Intego's claims cross the typical fear-mongering of anti-virus companies into outright slander.

So, there is NOTHING for Apple (or Microsoft, for that matter) to do about this. The spokespeople quoted here are probably going to have to take a day off to recover from having to deal with all the numbskulls this lie brought out of the woodwork.

No offense to TMO, but this needs to be completely exposed for the lie it is. Doesn't hurt to remind people to avoid being stupid, though.

"Hey, Johnny - if someone tells you to drag your Home directory into the Trash can and then choose 'Secure Empty Trash' from the File menu, don't do it."

Trojan Horses not a new threat

Mac security software company Intego recently warned the world that someone else had discovered a weakness in Mac OS X: it executes applications that you double-click on. They claimed things like "Delete all of a user's personal files," "users can no longer safely double-click MP3 files in Mac OS X," and more rampant fear-mongering. Intego never mentions whether they bothered to report this serious problem to Apple, just that they thought they should announce it to the world immediately (after they had a fix themselves, of course).

The hysterical warning by Intego notwithstanding, the threat of Trojan Horses is real for any operating sytem. The capability of including executable code inside any MP3's ID3 tags is not surprising. It is also not surprising that for this to work, the file actually has to be recognized by the operating system as an Application, and it is. Intego carefully neglected to point out that their "proof-of-concept" Trojan Horse actually is displayed as Kind: Application in both the Finder preview window, AND in the Get Info window. This "serious threat" is basically just a sophisticated way of pasting an MP3 icon onto an application.

The Trojan Horse in question needs to be sent in a format that protects and encodes the resource fork, which most operating systems strip away. This means that the file would need to be compressed in OS X's zip format, Stuffit format, or something similar. Most MP3s are not compressed this way, since MP3 ITSELF is a compression format.

Intego only advises people to buy their software, without even mentioning the ways that users can easily protect themselves by just not double-clicking every file that shows up. This fact proves their intent, which seems to be to make money by greatly exaggerating a slight twist on an existing situation: do not execute applications you don't know are from trusted sources!

In fact, I have tested the following: it is possible to make an AppleScript application saved as a bundle, include an MP3 file in it, and rename it so that it ends with .mp3. Paste an MP3 icon on it and you've essentially duplicated this "serious threat."

Intego's original press release: http://www.intego.com/news/pr410.html

Intego's updated press release: http://www.intego.com/news/pr41.html

Again, in Intego's update press release, they state the following: "Apple's Mail, and Microsoft's Entourage, for example, encode this file using binhex by default, which transmits the resources that are required for this Trojan horse to function."

Once again, they fail to mention that Mail (at least) warns you that the file is actually an application.

It is obvious to me that Intego is taking advantage of fear to drum up sales for software that most Mac users believe (correctly) they do not need. Simply paying attention to what one is doing will avoid this particular "vulnerability" from becoming a threat.

There are few "fixes" for preventing users from foolishly executing malicious code by direct action. Should Apple require the user to verify every new application's first launch? Most users would get so used to clicking "OK," this would lose any real effectiveness.

Of course, they could shell out money to Intego, and of course they would then be safe and sound, right? Intego, after all, has Mac users' best interests at heart.

Other relevant links:
MacFixit: http://www.macfixit.com/article.php?story=20040409073009731
Ars Technica: http://arstechnica.com/news/posts/1081623266.html
Geeks R Us: http://www.geeksrus.com/archives/000481.html
MacMerc: http://www.macmerc.com/news/archives/1336
MacNN: http://www.macnn.com/news/24167

I won't bother posting the links to all the inconceivably lazy publications that basically reprinted Intego's press release and actually put an author's name on their article. Just do a Google search for those pathetic excuses for journalism.

Ars Technica Reviews OmniWeb 5.0 Beta

Ars Technica Reviews OmniWeb 5.0 Beta (read review), but misses something on the tab issue: horizontal space is much less valuable than vertical space, especially in web browsers (and many other text-heavy formats), as almost all screens are wider than they are tall, while text pages tend to be taller than they are wide.

John Siracusa makes many greats points (as expected) about how tabs can be done to maximize user efficiency. His section on OmniWeb's tabs explains a great idea: allow regular tabs AND the new thumbnail/drawer mode. However, there is one additional concept that can improve on this. The regular tabs should still be in the drawer, but when they are only a small number (user-customizable, of course), the names of the tabs run vertically, and the drawer stays very narrow. For example:

Drawer with vertically-running tabs	Drawer with thumbnails

Basically, OmniWeb could have some smart defaults, but allow the user to customize the thresholds at which it switches between horizontal versus vertical tabs (but ALWAYS in the drawer - remember that the vertical space above a page is more valuable) and the vertically-running tabs, and the thumbnails.

Two Cursors Better Than One?

I usually use my PowerBook G4 with an USB mouse and the built-in trackpad, switching between one and the other. I just noticed today that I sometimes have my right hand on the mouse, but move the cursor with my left hand on the trackpad. My right hand still expects the cursor to be where the mouse left it.

I wonder how hard it would be to support two independent cursors when there is more than one input device? That, unfortunately, is not in my area of programming, so I'm not sure how hard that would be to hack. I'm guessing we won't see that from Apple, since it still sticks to a "no-button" mouse. Of course, I'm happily using said mouse right now. I find that scroll-wheels and extra buttons just aggravate my carpal-tunnel.

Well, here it goes...

Watching ABC News, and reading around the Net to see what's happening. Have to decide when to just go to bed, or stay up forever watching.

Philly Area AppleScript User Group

Well, I just did a quick check, and it seems that the Philadelphia Area AppleScript User's Group is one of the few in existence. I did a search on Google, and the only other one I came up with was the Boston Apple Script User Group. It sounds like it will be interesting, and there are quite a few good scripters I recognize from various mailing lists.

http://homepage.mac.com/applescriptguru/AS_Guru/pages/user_group/user_group.html
http://homepage.mac.com/applescriptguru/AS_Guru/pages/user_group/user_group.html

Dihydrogen Monoxide

I just read a very important warning about a dangerous substance lurking in our water supply at http://www.matthewmiller.net/dihydrogen_monoxide.html

Oh, btw, for those of you who don't know, this is supposed to be funny. Keep in mind that "di" means 2, "mono" means 1, and the chemical symbols for hydrogen and oxygen are H and O, respectively. :-)

WebSearches Script for Big Cat

I just finished my first (of what I'm sure will be many) script for the freeware Big Cat contextual menu plugin. Big Cat allows you to write scripts to handle files or highlighted text in any application that supports system-wide contextual menus.

WebSearches allows you to search for your highlighted text on one of several web sites. The part I love the most, though, is that the user can ADD their own searches to it, simply by running a search on the site they want and looking at the URL of the results page. Most searches use the GET method, and thus you can see the whole search right in the URL. Once you have that, you can add your search to WebSearches' list. Check it out.

http://danshockley.com/bigcat.php