Member
|
http://www.theregister.co.uk/2006/12...of_apple_bugs/
Apple has taken some action after the "month of kernel bugs", but I'm not sure they will react kindly to some bloke exposing vulnerabilities to the world... I personally believe that an open-source model in the end improves security, so therefore I'm inclined to agree with mister Finisterre. What do you think? Is it a good thing? "That’s because an “integrated Intel graphics” chip steals power from the CPU and siphons off memory from system-level RAM." (c)'06 ww.apple.com |
quote |
BANNED
I am worthless beyond hope. Join Date: Dec 2005
|
I think the guy is a dick in need of a life.
|
quote |
Travels via TARDIS
Join Date: Aug 2005
Location: Earthsea
|
Immediate public disclosure like this is extraordinarily irresponsible, and very childish. This guy just wants media attention, and he's going to get it. The term I saw elsewhere was "showboating."
From everything I've read, Apple is generally responsive to people who report security issues, so there's no reason this guy can't go through the normal channels to report issues and have them fixed. He just wants to create a stir. Also, of the two bugs listed so far, one is a cross-platform QuickTime bug, and the other is a VLC bug. Note that VLC is (a) not an Apple-made application, and (b) also cross-platform. If it continues like this, I suspect we'll see this "showboater" grasping for straws (like VLC) frequently of the month. There's nothing newsworthy about third-party apps having vulnerabilities. I can write an app that has a hole, but that doesn't make it Apple's fault. What an ass. LIke Brave Ulysses said, he should go rot in a hole. Apple's generally responsive, unlike other companies who like to sweep stuff under the rug for a while. Granted, they'll wait to roll a fix into the next software update (be it 10.4.9 or what-not), but they'll take care of it. Apparently I call the cops when I see people litter. |
quote |
Member
Join Date: Dec 2006
|
I like the idea or bringing new bugs to the attentions of the public but I do have some issues with him not contacting Apple about them before hand. Personally I prefer the idea of letting a company know if there are bugs in their products and giving them a decent amount of time to fix them. Once they are fix or if they haven't fixed them in a decent amount of time (say several months) then they can be disclose in the hope it will light a fire under their butts.
But I said the same thing when the month of bugs was going do for Windows as well. |
quote |
Travels via TARDIS
Join Date: Aug 2005
Location: Earthsea
|
Quote:
Disclosing vulnerabilities without the chance for a fix just degrades security; it gives potential attackers a known attack vector that will be open on all systems until Apple can release a patch. Also, blaming VLC vulnerabilities on Apple is silly. It just goes to show that this guy wants publicity more than anything. Quote:
Apparently I call the cops when I see people litter. |
||
quote |
New Member
Join Date: Jan 2006
|
I think it is great and a good way of showing the sad state of affairs in computer security currently. How long has the process of a security researcher finding a hole, reporting it, giving time to fix, and publicly posting hole been going on? It seems like the same problems over and over. How come there isn't a way to wipe the hard drive after use on a computer built into the OS after its 3-5 year life? Businesses and home user should have this.
|
quote |
Selfish Heathen
Join Date: May 2004
Location: Zone of Pain
|
Quote:
Quote:
Quote:
MOAB: What on earth are you talking about? Virtually all commercial operating systems from the past thirty years have included some functionality to wipe the hard drive. Or are you suggesting a computer should just arbitrarily erase itself after a few years like some sort of ticking time bomb? And what does that have to do with the Month of Apple Bugs? The quality of this board depends on the quality of the posts. The only way to guarantee thoughtful, informative discussion is to write thoughtful, informative posts. AppleNova is not a real-time chat forum. You have time to compose messages and edit them before and after posting. |
|||
quote |
Veteran Member
Join Date: May 2004
|
What Brad said, plus...
If the title of the site is Month of APPLE Bugs, and by day *TWO* they're resorting to third party *and cross-platform* bugs, that would indicate that: 1) Apple-generated bugs are pretty hard to find. ie, good and solid. Excellent. 2) They're just attention whores, knowing that if they slap 'Apple' on the blog, they'll get hits. Highly irresponsible of them, attention whoring at its finest, and just plain immature grandstanding. |
quote |
Veteran Member
Join Date: Oct 2005
|
Why the fuck is he posting exploit scripts with them?!
|
quote |
‽
|
|
quote |
New Member
Join Date: Jan 2006
|
Brad, Is you computer security world so small to include only OS X? If disk wiping has been a part of commercial operating systems like you claim, why don't more people know about it? Where is it in Windows? I searched for Solaris and it took a lot of finding. Where is it in OS X? Internet whoring is like your post of the picture above that really servers no purpose to the topic at hand. Why even post that?
|
quote |
‽
|
Quote:
Quote:
|
||
quote |
New Member
Join Date: Jan 2006
|
So, when your done with your computer and are getting rid of it, you use Secure Erase on the whole hard drive? The "Month of Apple Bugs" this month and I had heard about a month of oracle bugs. It really doesn't matter what the target is, it's a month of security bugs.
|
quote |
Selfish Heathen
Join Date: May 2004
Location: Zone of Pain
|
Quote:
Quote:
"newfs" or "mkfs"? I found explanations in mere seconds with my first search. Maybe I'm just lucky? fdisk has been around since the early DOS era and was included with Windows up through Windows Me. Windows XP includes a program called Disk Management. You can also erase drives and repartition from the Windows installation disc. This option has been available for as long as I can remember. Disk Utility. It's in your /Applications/Utilities folder as well as on the Mac OS X Install Disc and the Software Restore discs that are included with every Mac. Sure, if you're paranoid. A simple reformat is fine for most cases. Though, I ask again: what does this have anything to do with the Month of Apple Bugs? The quality of this board depends on the quality of the posts. The only way to guarantee thoughtful, informative discussion is to write thoughtful, informative posts. AppleNova is not a real-time chat forum. You have time to compose messages and edit them before and after posting. |
||
quote |
New Member
Join Date: Jan 2006
|
The reformat doesn't really get rid of the data. I was talking about securely wiping the entire disk of information so it wouldn't be easily recoverable. There are a number of utilities to recover data. I expanded the topic to computer security because of some of the previous post. Obviously, you just see Apple and that is where you stop.
|
quote |
Veteran Member
Join Date: May 2004
|
*points to thread title*
You pulled the hard disk issue out of thin air, bub. But just to engage in a bit of necrosadobestiality, Disk Utility offers what you want, very obviously and explicitly. The format/erase pane is on the left. When you follow the directions listed *right there* and click on "Security Options", you get the choices on the right. Now, just for flips and giggles, assume the user hasn't the first clue how to do this. Go to Mac Help, under the Help menu in the Finder. Enter 'erase disk' in the search box. 2nd hit points you to Disk Utility to do this, and even has a link to open it for you. Could. Not. Be. Simpler. Now, what does this have to do with MOAB again? Last edited by Kickaha : 2007-01-04 at 14:43. |
quote |
Veteran Member
Join Date: Jul 2005
Location: Unknown
|
Windows doesn't have a good "secure" disk eraser. There are lots of stories out there about people getting private data off of old computers that have been sold, donated, etc.. I imagine that the vast majority of these were not even re-formatted, but even those that are still risk giving up data to people who really know what they are doing. I'm not sure what the *real* risk is. News articles tend to be too sensational/reactionary, leaving people with the impression that it's a bigger problem than I think it is.
I use a 3rd party utility called dBan which is pretty easy to find with a simple Google Search. But, it would be an easy thing for Microsoft to include in Windows - like what Kickaha detailed in OS X. Do you know where children get all of their energy? - They suck it right out of their parents! |
quote |
On Pacific time
Join Date: May 2004
Location: Moderator's Pub
|
Excerpt of article:
Quote:
He seems perfectly - even *smugly* - happy to expose millions of 'others' to completely unnecessary security breaches. How would *he* like it if skilled hackers posted on the internet all the security flaws associated with his own personal financial accounts? How would he like it if a map of his house were posted, along with times of the day when no one is home, and windows and doors pointed out where it would be easy to break in? Oh, and all these revelations would be made *solely* in the interest of kindly helping Mr. Finisterre tighten security on his financial accounts and at his home. Surely he'll be overwhelmed with gratitude at all the warmhearted assistance being offered him. This guy seems bitter and jealous wrt the security Apple users have enjoyed. His act seems vengeful, destructive, and potentially criminally liable. As an analogy, let's imagine that a group of Californians become bitter because their homes have either burned in Santa Ana wildfires, slid into the ocean on mudslides (after torrential rains) from being built on precarious hillside land too close to the sea, or become damaged from tremors because they were built on earthquake fault lines. They bitterly notice the safety of homes far away from these perils, and jealously decide that it's not fair that these other homeowners live in security because of the wise decisions they made. So the bitter Californians seek to ruin the security and safety of these other homes in whatever way they can. To me, that seems pretty much the same as: Quote:
If significant problems result for people as a result of his actions, they should band together and file charges against Kevin Finisterre and his loathesome project. He really, really deserves some concrete consequences for his criminally irresponsible deeds. ***Disclaimer: These (above top) are NOT *real* suggestions wrt Finisterre's accounts and house. Rather, they are a sarcastic attempt to show how offensive and harmful the irresponsible publication of security flaws can be. I do NOT advocate breaching *anyone's* security in any way. (Just wanted to make that PERFECTLY CLEAR.) |
||
quote |
Veteran Member
Join Date: Mar 2005
Location: Near Indianapolis
|
Damn, I hope I never piss Carol off!
|
quote |
Hoonigan
Join Date: May 2004
Location: Canada
|
Actually Carol, you're pretty hot when you get like this.
**ROWR** |
quote |
Member
|
Although the MOAB may not be the correct way to deal with security issues. I believe it does raise some very valid questions about the current state of computer design/manufacturing.
I know that Apple has very high standards in its product QA, but a lot of other manufacturers do not. Today, thanks to us consumers, Time To Market is so very important for a company to survive that quality standards are severely reduced. A lot of 1st gen products are simply not secure enough, or are so riddled with bugs, that they are in effect not useable until a fix or Rev. 2 is released. For instance; Apple released MAC OS 10.4 on 2005-04-29. the first security fix for it on 2005-05-03 and the first point-release on 2005-05-16. That is a major release, security fix and a point release in 17 days. My (KiSS) hardware dvd-player did not work correctly out of the box. I had to download a firmware upgrade and flash the player just to have what was advertised on the box. For a device that has a very limited feature list, that is ridiculous. How long does Google keep it's services in Beta? Why? Keeping in mind the very first sentence of this post, I believe that the general public should be made aware of these issues in whatever way possible. It is a very bad thing that most tech companies now only seem to release demo-products just because the public only buys (not wants, or needs) the product that is first to market. We have to find a way so that consumers will demand products that are properly tested before they leave the factory. -- re-reading this post I see that I've gone very OT here, but since I think it's a relevant and important issue, I'm going to post it anyway "That’s because an “integrated Intel graphics” chip steals power from the CPU and siphons off memory from system-level RAM." (c)'06 ww.apple.com |
quote |
Veteran Member
Join Date: May 2004
|
Ewe raise some very valid points, the question is... how best to go about educating consumers to demand better?
Of course, then you have to *UN*educate them to demand *more*. You get more features, or you get better quality, but not both. Unfortunately, most consumers won't accept that tradeoff as valid, and want both, at the lowest price possible, preferably free. |
quote |
Travels via TARDIS
Join Date: Aug 2005
Location: Earthsea
|
Quote:
The cracked-up test scenarios I've seen that are relics from ancient bugs are... ridiculous. "Copy a 512MB file with exactly 500 characters in the name across AFP; ensure transfer completes." Even with 100% coverage through unit-testing, it's impossible to predict the random, uncanny corner-case scenarios that maybe two users will encounter when certain components interact in a very specific, very quirky way. Complete test coverage just isn't going to happen. From a vendor standpoint, it's a matter of mixing time-to-market with quality and letting the consumer decide if your mix is the best of the available options. Right now, I think Mac OS X is doing pretty well, even though it's not perfect. Microsoft, on the other hand, has some serious time management problems, and it remains to be seen if Vista has serious quality issues. It's not yet in wide enough distribution/use to make a good call. I see what you're saying, but there's a reason the market has never sustained a vendor who focused on absolute perfection. Some of us just try to get really close. Apparently I call the cops when I see people litter. |
|
quote |
is the next Chiquita
Join Date: Feb 2005
|
Does the software testing have to be done by a human? Can't a script do the testing and hang at failurewith a notification to the developer or something? Heck, program the script to do random things or pattern a normal usage with some random factors with a log of action taken, no?
|
quote |
Selfish Heathen
Join Date: May 2004
Location: Zone of Pain
|
Months. Perhaps indefinitely.
Because it's the cool "Web 2.0" thing to do. That and it's a lazy cover-your-ass way to not make any hard commitments. "Why doesn't XYZ work?" "It's in beta." Quote:
However, tests are only as intelligent as the person who writes the tests. They can test all sorts of use cases and extreme edge cases, but they can't prod something they don't know to check. The quality of this board depends on the quality of the posts. The only way to guarantee thoughtful, informative discussion is to write thoughtful, informative posts. AppleNova is not a real-time chat forum. You have time to compose messages and edit them before and after posting. |
|
quote |
Travels via TARDIS
Join Date: Aug 2005
Location: Earthsea
|
Quote:
Quote:
UI testing is a very challenging beast, and difficult to automate reliably in many situations. Either (a) your code has to expose information about the UI programatically, so a script can "parse" the UI, or (b) you need a UI testing suite that is intelligent enough to look at raw graphics data and "find" controls. Because even though your functions might be fairly bulletproof, sometimes only the right sequence of UI events will cause an error. Regressions can be checked using scripts (i.e. make sure an old UI bug doesn't appear again), but it's hard/impossible to program a UI testing script to exhaustively check all possible input events, combinations, and timings that might lead to problems (hangs, races, deadlocks, crashes, and so on). That's why truly exhaustive testing is, and always will be, essentially an impossible feat. Part of that's because an exhaustive search of all UI events and timings would be a problem so big in size that no (super)computer in the world could conquer it in reasonable time. So to make use of the limited testing resources provided, we have to pick and choose our battles---that is, we run the tests deemed most important and most comprehensive. Most of the time it works. Sometimes it doesn't. Apparently I call the cops when I see people litter. |
||
quote |
Member
|
Quote:
My point, however, was that a lot of companies these days seem to reduce QA to the point where large and "easy to find" bugs are not found and fixed (or worse, are found and deemed not important enough. Mail.app hiding at startup comes to mind...). Another example; the Nokia 5500 Sport with black keyboard has the problem that the rubber used to make the black keyboard changes size when exposed to temperature changes/high temperature. This means that almost every 5500 Sport released until now will have the keyboard come unglued and thus be unuseable. This occurs fairly quickly, 1 week of walking around outside and putting it in and taking it out of your pocket will trigger the problem. This means that Nokia (once a company like Apple with very high QA standards) didn't even bother to test the model in a normal use / real world situation. "That’s because an “integrated Intel graphics” chip steals power from the CPU and siphons off memory from system-level RAM." (c)'06 ww.apple.com |
|
quote |
Senior Member
Join Date: Nov 2004
|
Quote:
|
|
quote |
Posting Rules | Navigation |
|
Thread Tools | |
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Apple introduces Boot Camp (Boot Windows XP on Mac)! | MCQ | Apple Products | 400 | 2006-04-11 20:45 |
Help... What can I do?? | macaddict23 | General Discussion | 10 | 2005-03-26 02:23 |
What is it with Apples | Jules26 | Apple Products | 79 | 2005-01-18 04:33 |
iTunes & Pepsi again... | Quagmire | General Discussion | 37 | 2004-07-31 03:56 |