Friday, February 24, 2006

The security flaw in OS X: bad

Macintouch has the first decent and clear analysis of what Apple did wrong. The way OS X "identifies" a file is a hack, a kludged compromise between Mac Classic, UNIX, BeOS, Windows, and NeXTStep. The results include some fundamental contradictions which can be easily exploited.
MacInTouch: timely news and tips about the Apple Macintosh

[MacInTouch Reader] The initial press coverage of the (misnamed) Safari/Terminal vulnerability has a number of folks barking up the wrong tree.

This vulnerability has nothing to do with Safari, other than Apple's design mistake of having Safari by default open "safe files" making the exploit far easier.

This vulnerability has nothing to do with Terminal, other than Terminal being a convenient way to run arbitrary scripts. There are other bundled apps that handle provided scripts. For example, compiled applescripts in 10.3 can be run despite being renamed as a jpg or the like via a metadata reference to Script Runner.

This vulnerability is not specific to zip files. Any archive file type that can contain metadata in an OS-X-standard way can be used. Examples are zip, tar, ...

This vulnerability is two mistakes together, involving the application and use of improper metadata.

The first mistake is in the OS routines and example code that allow writing usro or other resources which are inconsistent with a file's extension. The applications that take advantage of these routines/examples, and which can consequently be used to extract exploits, include at minimum the default BOMArchiveHelper (OS X 10.3 or newer), and StuffIt Expander 10.

The second mistake is in the OS routines that have the Finder, Mail, and likely many others displaying the file type branding (icon) based on the extension (.jpg, .mov, etc.), while then opening the file based on the non-matching type and owner in the usro metadata.

The second is more critical to fix, across the board, as malicious files can potentially be written to disk by an attacker without using traditional archivers like BOMArchiveHelper or StuffIt Expander.
I've long suspected that the kludged history of OS X would make it very vulnerable to attacks. That's why I've never boasted of the fundamental security of O X. I suspect security experts felt likewise. So why now? I wonder if this had anything to do with the hacked betas of OS X/Intel that are circulating. A whole new audience may be playing with OS X ...

It will be amusing if it turns out that the primary security feature of OS X was that malicious hackers couldn't afford the hardware to allow them to develop attacks. Now they can. If so, there will be a lot of others coming.

Apple is being characteristically silent. They've known this would happen, it's a bad sign that they haven't fixed the problem long ago ...

Update 3/6/06: Matt Neuberg has a very good summary of this problem. Fundamentally he agrees with me, but he knows more.

Griffin Technology: A fine company going down

Griffin Technologies was one of my favorite companies. Alas, they're going downhill fast.

I bought their AirClick iPod RF remote and discovered, as have others, that the range is very limited. It's less useful than an IR remote. I thought the problem might be RF interference with the home security system, but changing location didn't help. Their FAQ suggested changing the battery, but when I opened the device I found the battery was epoxied in place. I tried calling tech support, but got a message saying they were in an "all day meeting". Then I tried emailing tech support and got this message:
502 Proxy Error:

Proxy Error
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /contact/email.php.
Reason: Could not connect to remote machine: Connection refused
This doesn't look good.

Update 9/29/06: Well, they did end up doing better. Once I got a human being on the phone they were quite happy to have me send in the unit, which they were sure was defective. I didn't want to spend too much time on this, so I just tossed in the component I was sure was broken. Wrong one! I was ok with that and forgot about it. Today, out of the blue, Griffin sent me their current AirClick. Now, it's not at all suited to what I wanted to do (control iPod output to my stereo) -- it plugs into dock connector and prevents charging, but it was quite nice of them. I'll see if I can figure out a use for it and if I can't I'll give it away. I think it's intended for an iPod in a backpack, but it's kind of a silly device.

Thursday, February 23, 2006

Google Dashboard Widgets

I'll try these on OS X 10.3 using Amnesty to run the widgets ...
Google Macintosh Dashboard Widgets

... The Blogger Widget enables quick and easy posting to your blog. Checking your Gmail inbox becomes a matter of pressing F12 with the Gmail Widget. And the Search History Widget allows you find that website you saw last week while searching Google.

Google launches an AJAX web authoring and hosting application

Alas, it's toast right now:
Google Page Creator is having a little trouble right now.

This is not because of anything you did; it's just a little hiccup in our system that will hopefully go away soon. We apologize for the inconvenience, and recommend you try reloading this page.
Very interesting if it will allow me to host images, PDFs, etc. Great for small organizations. A significant problem, however, is likely to be moving data from one account to another -- something that's important for small organizations, volunteer groups, etc. Bloglines has the same problem.

I guess this is what will replace FrontPage for most users ...

Update: I got it working. Both this site and Gmail are up and down however, must be one heck of a load! You can upload files, such as PDFs, from the page manager and then link to them from the pages.

At the moment it appears to be a single user service linked to a single account. However, I found out that they've implemented page locks, which can be broken. So it's designed to be multi-user.

I wonder if they'll eventually allow site content to migrate between Gmail accounts? The URLs won't migrate, they include the account owner name. There's a 100MB site size limit at the moment.

Google is going to "own" our digital identities. This makes me wonder when the Google word processor will come out.

Norton Commander -- for OS X?

Macintouch writes:
Xfolders 1.1 is a Mac OS X file manager that displays two directories at once in side-by-side panes and provides Norton Commander-style keyboard operation as well as drag-and-drop and menu commands. Along with move/copy/delete/rename, it provides control of file and folder permissions, bookmarks and a bookmark manager for folders, Finder integration, intelligent path navigation, toolbar access to system utilities, and other features. This release adds an integrated Spotlight search, more versatile search and compare options, support for zip/unzip, faster copying, and other improvements. Xfolders is free for Mac OS X 10.4.
The author's web site has a screen shot that shows the same function keys I remember from the original Norton Commander. NC/DOS was one of the best products I've ever used on any platform -- a true classic. I used FileCommander for OS/2 for a while, it came close. This app is pretty new, so it's worth checking out the versiontracker and macupdate responses. Too bad this German company doesn't have an XP version.

I'll give it a try and update this post with what I learn.

Update 2/24/06
: I tried it and it wouldn't launch. I suspect it wants to run in admin mode; I always run in regular user mode. Deleted immediately. If an OS X application won't run in user mode then there's a very high probability that it's junk.

Wednesday, February 22, 2006

Amnesty fixes OS X Widgets and brings them to Panther

$20. I have to try this. OS X's Widget implementation is absurd. Who needs yet another layer besides the desktop and the application layer? This app lets widgets live in the desktop and in 10.3.x. I've got to give it a try. (Via Macintouch)
Mesa Dynamics

Amnesty Widget Browser is a utility for Mac OS X Tiger and Panther (10.3.9) that allows Dashboard widgets to have expanded capabilities as they run directly on your desktop via a convenient icon in your system menu bar.

Widgets loaded in Amnesty Widget Browser run completely outside of Apple's Dashboard environment, maintain their own preferences and feature adjustable display settings such as window level (desktop, standard or floating), opacity (transparency) and shape (now you can rotate and scale your widgets so they fit on your desktop where you want them). And to keep things nice and tidy, groups of widgets can be arranged into multiple virtual workspaces that can be called up —by menu or hot key—to your screen at any time.

Best of all, this 'independence' from Dashboard means Panther users can—for the first time—get in on Apple's widget experience, using Amnesty Widget Browser to run many third-party Dashboard widgets (a library of sample widgets is also bundled with every copy).

And Amnesty widget technology also powers our freeware Amnesty Screen Saver, which lets you get widgets all the way out of Dashboard (and into your screen saver).

So whether you're a Tiger user looking for a way to keep the Weather widget embedded in your desktop, or a Panther user who wants to try out the latest and greatest Dashboard widgets, Amnesty Widget Browser offers something for everyone. Download your copy today and take your widgets out for a spin.

Sunday, February 19, 2006

iPhoto Dumb Albums

Grrr. iPhoto "Smart Albums" are basic Boolean queries. That's all they are. Unlike iTunes, you can't create complex queries by nesting multiple Smart Albums. In other words, you can't include a 'smart album' in a query, only a regular album.

So you can't create complex Boolean queries of the form (a OR b) AND (c or d).

I so need Aperture. I'm grinding my molars down waiting for 1.11 to come out. I don't trust 1.0, since Apple's quality control budget is apparently measured in pennies.