- Using the cloud to deliver security, ReadWriteWeb
- Facebook private pages still accessible, The Register
- New programming language with security baked right in, Slashdot
- Flaw allows bypassing of iPhone lock code, Wired
- Security and privacy app for Facebook debuts, ReadWriteWeb
- Rise of the small botnet, Slashdot
- Firefox zero day under attack at Noble Prize site, Zero Day
- Mozilla patches critical Firefox zero day flaw, The Register
- Critical vulnerabilities in Firefox 3.5, 3.6, Mozilla Security Blog
- Facebook worm ported to OS X, Zero Day
- New credit card flash attack may be responsible for up to $500K stolen a month, The Register
- Adobe Reader drive-by zero day flaw actively under attack, The Register
- Inside Google’s anti-malware operation, Slashdot
- Hiding back doors in hardware, Slashdot
- Cracking complex 14 character passwords in 5 seconds, CIO Zone, via Hacker News
I spotted this Download Squad story on Hacker News. It was prompted by a tweet from Mike Beltzner, the director of the Firefox project at Mozilla. There is a link in it, now being shared more widely, to a copy of the text of the developer agreement for the new app store. The problem Beltzner highlights is the set of unrealistic expectations encoded in the agreement–that betas will be disallowed along with any software that has bugs.
The Register has a longer piece, expanding on Beltzner’s criticisms of the move by Apple. I am not entirely sure I agree with his further contention that Jobs is moving to bypass the web. After all, we are only talking about “apps” (see below for how Apple is trying to make that term more than just a lazy abbreviation for application software). I will concede that it does feel like the Mac is getting a little claustrophobic between iTunes as the all encompassing media environment and now this for software. I am wary of Apple’s long term schemes but have confidence in the attractive power of the open web, especially as it much more readily invites the sort of disruptive innovation that is the bane of all attempts at walled gardens.
Sarah Perez at ReadWriteWeb has extracted some of the more interesting conditions in the agreement that legitimately bolster Beltzner’s cause for concern. Basically, just about everything we’ve come to expect of the store for Apple’s mobile platform will carry over into the one for their desktop platform. Well, everything except the fact that the Mac app store will not preclude other means of distributing software for Macs. Of course the Apple managed store will represent a distinctly non-level playing field. They are undoubtedly betting that even with the possibility of installing applications as folks do today, most will flock to the new store out of sheer convenience. All the more reason to look at Anil Dash’s ruminations on open alternatives about which I posted yesterday.
One other point to consider, if true, is that apparently the “apps” in this store will be distinct from actual applications. I didn’t bother viewing the live stream of the Apple event (because you have to use their proprietary codec to do so). What I can parse out of the various live blogs is that an “app” will work much like the programs on a smart phone: intentionally single tasking and unconditionally full screen. Even if I thought that particular interpretation of an application were a worthwhile notion, which I don’t, I am certain there are applications that will suffer considerably in terms of usability and utility if shoe horned into this model. I suspect that fact more than anything will continue to pressure Apple, preventing them from closing down software distribution on the Mac exclusively to the very thin straw that is this app store.
Updated: A reader, Alex, did watch the live stream and while the full screen mode was presented in a confusion fashion, it does seem to be separate from the app store. Thanks for the clarification.
Slashdot is one of many sources covering an expansion on one of Apple’s existing patents, ones that telling seems to use OS X screen shots to show how viewing of advertisements is tied to disabling of features, the presumption being they would form a sort of unskippable and hence highly lucrative channel for pushing sponsored messages.
Personally, I think this has more to do with Apple’s new mobile advertising platform. For Mac OS X, it makes far less sense. The availability of substitute goods without forced ads is too great and the switching cost is much lower than with a smart phone where you have to contend with termination fees and potentially incompatible carrier data networks.
Besides, hasn’t some form of this rumor already made the rounds?
If Apple wanted to ensure a solid exodus from their non-mobile, non-appliance products, the surest way to do it would be to tying accessing basic features of your Mac to spending attention on ads. Maybe if Apple is looking to divest itself of the Mac, then they would pursue such a scheme.
- Copyright violation ransomware in the wild
- Another VM based secure OS receives NSF funding
- Dubious benefit of some conventional security wisdom
- Privacy preserving algorithm for databases of personal info
- Apache.org passwords compromised
- How to exploit NULL pointers
- Adobe, MS push security updates
- Attacks exploit unpatched Adobe applications
- Unpatched Java exploit in the wild
- Java patch for latest exploit
- Apple fixes pwn2own flaw in Safari
- Executable PDF exploited by Zeus malware
- New OSX malware variant spotted
Slashdot links to a howto on replacing Apple’s proprietary home folder encryption with a FUSE based, encrypted file system. The author explains the benefits and drawbacks as well as how to use a login hook to automate mounting and opening the secure volume.
The advantages are the opportunity to use stronger encryption, being able to back up data continuously rather than at logout, and using an open rather than a proprietary solution. The main disadvantage is that FileVault is more thoroughly tested and more likely to be reliable. For instance, EncFS at the moment has a known issue around use as a replacement home folder. To work around this, you’d need to have a separate folder as a mount point and manually link what you want to appear as if it is part of your home folder.
If you are an early adopter or a power user, this may be of interest to you regardless of the downsides. The ability to actually back up your protected data as you are working with it means the impact of a bug or crash is somewhat mitigated.
- Massive attack against Adobe Reader vulnerable right before patch
- Mac malware blocker hasn’t been updated in months
- Adobe chief defends inclusion of vulnerable JS in Reader
- Encryption cracked on NIST-certified thumb drives
- More on crack of NIST-certified thumb drives
- Rogue marketers can mine your Facebook data
- Beware of social engineering on Facebook
- Fast MD5 password using GPU
- Protocol change to address SSL vulnerability
- A new bill could undermine EFF’s DMCA exemption petition
The EFF has gone to bat for consumers seeking a DMCA exemption for unlocking phones. While they are waiting on a ruling, some providers have lobbied to get a bill introduced that would make the DMCA moot, legislating to directly forbid unlocking or otherwise modifying prepaid phones. Hopefully there will be opportunity for comment on the bill, soon, and an action alert from the EFF.
- An engineer’s proposal for copy-less book scanning
Via Hacker News. I had to admire the will to try to think through this solution but I don’t think any amount of technical indirection is not going to pass legal muster. Big content has not been shy about making arguments about certain ephemeral copies being infringing, even if they are destroyed promptly. Not all courts have agreed with this notion, but enough to muddy the waters. I really hate having to say this just isn’t a technical problem, it really is a legal one. We need copyright reform, not obfuscation and encryption.
- YouTube being investigated in Germany for criminal infringement
As the linked article notes, it is not clear whether this will culminate in a court case. The fact that the rights holders here are pursuing criminal charges seems to be an escalation from civil proceedings from which they claim they did not get a response, or at least not an adequate response.
- iPhone app developer speaks out about piracy
The sample set is admittedly small but does appear to be a damning case study for pirates not using illegitimate copies to try before buying. The silver lining is that the developer is not just implementing a knee jerk protection scheme, but thinking about how to change their business model to capture more sales, such as giving the game away and charging for fresh, downloadable content.
- Apple discontinues port effort around ZFS
A lot of speculation as to why, ranging from uncertainty around Oracle’s acquisition of Sun and its stake in ZFS to a patent claim over the file system. Both point to better models to protect open source innovation in the face of problematic copyright ownership, like the raging debate over Oracle and MySQL, and the threats of software patents.
- Live action adaptation of Ghost in the Shell
IO9 has the details, none of which I am pleased with. I was massively disappointed by the animated film and slightly less so with its sequel. Standalone Complex made me feel a bit better, as I felt it followed the themes and visual style of Shirow’s work more closely. I just can’t conceive of how a live action version would do anything other than fall completely flat.
- Pre-release pirates facing prison sentence
I don’t have much to add to the simple reporting at Ars by Jacqui Cheung. This crew treads too far on the side of eroding marketability of music, really. If the rights holder has not release it yet, then this is not even a question of reasonable access, it really does interfere with the ability to publish and profit.
- UK PM apologizes for treatment of Turing
The petition to recognize the poor treatment of a hero of early computing was clearly successful. I do have to agree with Glyn Moody’s sentiment, though. While this is a nice response to activism, a more considered response would be to properly preserve the crumbling and underfunded Bletchley where Turing and others made such significant contributions to the war effort.
- Linux kernel developer points out tapering of MS open source efforts
Actually, if you put this in the context of the recent patent auction, in particular the theory that MS sold off some Linux-relate patents with the hopes a troll would acquire them, then this really suggests that skepticism is warranted despite what now seem much more like token gestures towards open source. To be fair, GKH doesn’t take MS to task exclusively but mentions other companies that haven’t backed up their contributions with coding effort.
- Apple releases its parallel programming code as open source
GCD complements other, more open efforts which Apple has been supporting. Apple has implemented OpenCL, a tool for parallel programming GPUs, and GCD provides similar capabilities for multiple cores. The slashdot post has many links to commentary and analysis, the most interesting is how GCD may be ported and put to use in place of or alongside older parallel programming systems like MPI/OpenMPI.
- Microsoft launchs an open source foundation
Ryan Paul has the details at Ars. They are confusing and he rightly I think relates this to other recent confusion of the relationship between Microsoft and open source. The question that occurs to me in reading through the scant info on the new CodePlex Foundation is why they would not simply contribute those funds to an existing foundation? I am positive they have done so in the past and doing so again would seem to have far less potential for conflict of interest.
- Dark stalking on Facebook
Thanks to Phil for sending me this link. This expands on the concerns exposed by the ACLU-CA’s quiz that demonstrated how much data is exposed without constraint to application developers. The use of FQL suggests much greater ease for an attacker or other party interested in mining personal data. I hope addressing these exposures is already part of or will be made part of Facebook’s plan to address user complaints and the recent scrutiny from the Canadian privacy commissioner.
I continued my experimentation with Leopard and my Alesis MultiMix 8 FireWire this past weekend. I have excellent news to report as a result of those experiments.
I installed the new beta driver available from Alesis that specifically mentions Leopard compatibility in the resease notes on the PowerBook G4 I upgraded to test with the stable drivers a few weekends prior. I do not recall whether I updated the PowerBook to 10.5.1 first but I am not sure that is relevant based on my second experiment, see below.
I was tickled to find that the beta driver works without issue on PowerPC hardware under Leopard. I did several twenty and thirty second recordings to make sure the old intermittent static issue didn’t resurface. The sound was clean and consistent. I am a bit superstitious about my main system, a G5 desktop, so will wait until the drivers come out of beta, testing them first on this spare PowerBook. If you are less superstitious, you are probably safe using the beta drivers, now, if you have dire need.
I have a friend who was concerned about the same problems I was having, but he has an Intel Mac. To cover his questions, too, I installed the beta driver on my MacBook Pro, hooked up the mixer, and recorded the same samples. My MacBook Pro was then and is now running 10.5.1 and the beta driver also worked perfectly on my sole Intel system. Again, if you are comfortable using beta drives, I see no reason not to use these.