There's a longstanding and mysteriously ignored flaw in OS X File Sharing.
If I connect to one of my Macs using afp, I can browse all the folders belonging to the user I've connected as. I cannot, however, browse the shared folder -- as any user!
I wonder why this only annoys me ...
Update 4/14/07: I thought I knew a fix for this, but I was fooled. If you create an alias to the Shared directory and put it in your home directory, it looks like a remote client can get to it. Wrong, OS X simply redirects to the local shared directory!
I wonder again why I'm the only person who seems to notice this ....
Update 4/15/07: I've been looking at this from a few angles, and this is a real wart. My guess is that the Shared folder is a kind of kludge that was stuck into the OS as a temporizing measure. There's no standard way in OS X (non-server) to create a network share that everyone can access! The one folder available for local shares is not network accessible! (Insert more exclamation marks.) Grrr.
See also: the Parents folder.
Update 9/3/08: This was fixed in 10.5
Thursday, February 22, 2007
End of the line for the 35mm full frame sensor?
Canon's latest pro camera uses an APS sized sensor:
High-end Canon SLR counters Nikon | Tech News on ZDNetCurious. Why introduce another sensor dimension?
As with the 1D Mark II, the sensor is the APS-H size that shrinks the field of view by a factor of 1.3 compared with traditional 35mm film SLRs. That means a 50mm lens on a Mark III has the field of view of a 65mm lens on a traditional film SLR. (The APS-H size is right between the APS-C sensor, which has a 1.6 crop factor and is used in Canon Rebel XTi and 30D SLRs, and the full-frame sensor, which matches 35mm film and is used in the 5D and 1Ds Mark II...
Multiclick iTunes album column to subsort
macosxhints.com - Sort by album and artist or year in iTunes 7Why doesn't Apple ever document stuff like this?
...click on the Album column to sort by album (as you would expect), then click again to sort by 'Album by Artist' and again for 'Album by Year.' ... play whole albums at a time, but ... keep artists together."
SpyMe: another remote control app for OS X
SpyMe2 is presumably another VNC based remote control app, though the main page doesn't mention VNC. We're still waiting for something like Windows terminal services (RDP).
I might try it. Inexpensive.
I might try it. Inexpensive.
Wednesday, February 21, 2007
The NYT Permalink Generator
I'll start using this in my blog posts:
TidBITS - Create Permanent Links to the New York Times... because the New York Times considers itself as the newspaper of record, back in 2003, they worked out a deal with Dave Winer of UserLand Software to provide permanent links in RSS feeds generated through the Radio UserLand RSS aggregator. That said, it would seem that the New York Times is running its own RSS feeds now, so there's no obvious way to find a permanent link to an article you're reading on the New York Times Web site......use the New York Times Link Generator, written by Aaron Swartz of the social bookmarking site reddit. Just feed it a link to a New York Times and it returns a version of the link that will remain free for the foreseeable future, though of course the Times could always change their policy. There's also a bookmarklet that you can use to generate a permanent link from the current page when you're on the New York Times Web site.
Monday, February 19, 2007
Hard drives: everything is wrong
I'm used to this sort of reversal from medical science, not computer hardware. Google research says we don't undersand hard drives all that well.
In brief:
1. They're much less heat sensitive than we thought. Once a drive is "mature" heat doesn't have much of an impact on lifespan.
2. After a drive emerges from its infant mortality period, it's not much affected by use. So contrary to everything I've ever written, there's no great need to spin down a USB attached drive.
3. If a drive is found to have any defects on initial testing, it is 10 times as likely to fail as a defect free drive. I'd read that Apple selects server drives by buying conventional drives and tossing out any that have defects. Makes sense. If you buy a new drive, and find a mapped-out defect (may need special software), maybe you should consider returning it ...
In brief:
1. They're much less heat sensitive than we thought. Once a drive is "mature" heat doesn't have much of an impact on lifespan.
2. After a drive emerges from its infant mortality period, it's not much affected by use. So contrary to everything I've ever written, there's no great need to spin down a USB attached drive.
3. If a drive is found to have any defects on initial testing, it is 10 times as likely to fail as a defect free drive. I'd read that Apple selects server drives by buying conventional drives and tossing out any that have defects. Makes sense. If you buy a new drive, and find a mapped-out defect (may need special software), maybe you should consider returning it ...
Friday, February 16, 2007
The router/javascript bug - this feels big
This feels pretty serious to me. In retrospect, of course, the attack is obvious. I suspect many security people have known about this vulnerability.
In the near term browser vendors will be scrambling to see if they can hack in some fix that breaks javascript for this purpose, while not disabling it for every purpose. I'm interested in what Schneier will say.
I don't believe my Airport Router has a web interface, so it's probably immune. Even if it weren't, Apple has a distribution mechanism that allows effective updating of their routers. There's something to be said for that ...
Most browsers, btw, will 'memorize' passwords. I presume that's not exploitable here.
PS. I assume it's obvious to my handful of geeky readers, but a robust WLAN password is of no help here. This is all about the router's admin pw.
Update 2/16/07: I underestimated myself. I did change my mother's router's admin pw.
Update 2/24/07: Schneier has an article. He agrees, it's impressive.
Symantec Security Response Weblog: Drive-By Pharming: How Clicking on a Link Can Cost You DearlySince I'm a geek I have two inline routers from different vendors with different admin passwords (the password you use to connect to an encrypted WLAN is not relevant here) and, I think, usernames. There are probably two other people I know who do this. I'm not even sure I changed the un/pw on my mother's router -- nor would I necessarily know how! Her primary router, which is where her DNS information comes from, was installed by her cable company.
...The attackers create a Web page that includes malicious JavaScript code. When the Web page is viewed, this code, running in the context of your Web browser, uses a technique known as ‘Cross Site Request Forgery’ and logs into your local home broadband router. Now, most such routers require a password for logging in. However, most people never change this password from the original factory default. Upon successful login, the JavaScript code changes the router’s settings. One simple, but devastating, change is to the user’s DNS server settings...
In the near term browser vendors will be scrambling to see if they can hack in some fix that breaks javascript for this purpose, while not disabling it for every purpose. I'm interested in what Schneier will say.
I don't believe my Airport Router has a web interface, so it's probably immune. Even if it weren't, Apple has a distribution mechanism that allows effective updating of their routers. There's something to be said for that ...
Most browsers, btw, will 'memorize' passwords. I presume that's not exploitable here.
PS. I assume it's obvious to my handful of geeky readers, but a robust WLAN password is of no help here. This is all about the router's admin pw.
Update 2/16/07: I underestimated myself. I did change my mother's router's admin pw.
Update 2/24/07: Schneier has an article. He agrees, it's impressive.
Subscribe to:
Posts (Atom)