Unregistered
aliases
- danieleran
- Daniel Dilger
- Daniel Eran
- danieleran
danieleran
Is this you? Claim Profile »
3 months ago
in MobileMe vs. Live Mesh on sarahintampa
You described MobileMe as being a "walled garden," but it's really a consumer offering. The platform behind it is open enough: Mac OS X developers can (and do already) sync their data to the MM cloud, enabling multiple Macs to share the same preferences, settings, or data (Microsoft syncs its PIM data to the MM cloud from Mac Office, for example; FTP client Transmit syncs up your account settings; DL syncs up your media library catalogs; and so on).
The MM service is designed to also present that data on the web or push it to the iPhone. Apple hasn't yet enabled third parties to develop their own MM web apps, and I'm not aware of any specific API to present synced data to the iPhone (although one can easily publish it to MM's WebDAV service and access it from either native apps or web apps on the phone (or any phone for that matter).
That indicates that your characterization of Apple=Closed :: Microsoft=Open Platforms is really just wrong. The real relatinoship to highlight is:
Apple=shipped and still being actively developed, while not without flaws :: Microsoft=arrogant vaporware.
The tables have turned. In the early 90s, the opposite was true. Microsoft was shipping beta stuff that met people's needs, and Apple was just talking about great lofty architectures that it never shipped.
The MM service is designed to also present that data on the web or push it to the iPhone. Apple hasn't yet enabled third parties to develop their own MM web apps, and I'm not aware of any specific API to present synced data to the iPhone (although one can easily publish it to MM's WebDAV service and access it from either native apps or web apps on the phone (or any phone for that matter).
That indicates that your characterization of Apple=Closed :: Microsoft=Open Platforms is really just wrong. The real relatinoship to highlight is:
Apple=shipped and still being actively developed, while not without flaws :: Microsoft=arrogant vaporware.
The tables have turned. In the early 90s, the opposite was true. Microsoft was shipping beta stuff that met people's needs, and Apple was just talking about great lofty architectures that it never shipped.
1 year ago
in A Picture’s Worth 100M Users??? on John's Blog
I think if Apple or Jobs had any intention of actually saying that Safari was gunning for Firefox's share of the market, it would have been said, not passively suggested in a slide.
Compare when Jobs made the "we're coming after you, buddy," comment about Dell with a slide of Michael Dell in a bullseye target(!). Nobody had to read any interpretation into that. Or the Macworld Expo keynotes where Jobs targeted competitors to iTunes, specifically Target, making a joke about it being the next company for iTunes to pass.
Jobs doesn't make coy allusions to threats in keynote slides. He made no comments about killing Firefox in his presentation. That slide was briefly thrown up with nothing really said about it. Also, why would Apple intentionally subtract Firefox's entire share, leaving IE's share unchanged? That slide was a bit sloppy, but reading anything into it is really grasping for straws.
Mozilla is an important ally to Apple in its efforts to build standardized web development. When bloggers make comments like "make no mistake: this wasn’t a careless presentation," it's a sign they are being dramatic idiots and trying to portray some fluff as the center of the universe.
When the blogger is John Lilly, or say any executive, its a sign that company should have a blogger policy to prevent upper management from looking like fools to the public.
Compare when Jobs made the "we're coming after you, buddy," comment about Dell with a slide of Michael Dell in a bullseye target(!). Nobody had to read any interpretation into that. Or the Macworld Expo keynotes where Jobs targeted competitors to iTunes, specifically Target, making a joke about it being the next company for iTunes to pass.
Jobs doesn't make coy allusions to threats in keynote slides. He made no comments about killing Firefox in his presentation. That slide was briefly thrown up with nothing really said about it. Also, why would Apple intentionally subtract Firefox's entire share, leaving IE's share unchanged? That slide was a bit sloppy, but reading anything into it is really grasping for straws.
Mozilla is an important ally to Apple in its efforts to build standardized web development. When bloggers make comments like "make no mistake: this wasn’t a careless presentation," it's a sign they are being dramatic idiots and trying to portray some fluff as the center of the universe.
When the blogger is John Lilly, or say any executive, its a sign that company should have a blogger policy to prevent upper management from looking like fools to the public.
1 year ago
in Mac Punditry and The Office Paradox on Matasano Chargen
@ Thomas
If you read my article and came away with the idea that "I'm convinced that browser findings are unimportant," I have a hard time having a dialog with you.
Also, I never suggested that "iTunes Music Store is the premier target for attackers," only that it is a known, high profile target running Mac servers. I also included Apple's other web stores. I believe Apple's site is in the top ten most heavily trafficked sites, and the iTS is certainly a target hackers are motivated to exploit. Why would hackers target Limewire? That's absurd. What is there to get that isn't already available? Are you intending to have a meaningful discussion or just throwing mud furiously?
iTS demonstrates the fallicy of saying that Macs aren't under attack and that nobody has ever tried. It's not true, so stop repeating it.
Recall that a worm specifically targeted the BlackIce Defender firewall. Market share has little to do with incentive. It's all about reward vs risk.
@ Dave
You can quibble about Corvettes and what car gets stolen most, but you're missing the point. I wasn't proving a point about GM, I was making an analogy between cars that get stolen and computers than are broken into. Again, its reward vs risk. It is not about quantity.
I already pointed out the difference between System 7 and DOS: One was designed for an appliance computer, the other for PCs chatting amongst themselves on a wide open LANManager office. Apple could bolt on network funtions onto the Mac, but Microsoft has had major problems trying to wrap Windows in diapers to slow the amount of crap flying in and out of its open pores.
Dino's attack compromized the security of the Mac, but he only gained user level access. I don't want people being able to read my files, but that's a far cry from being able to install malware or turn the machine into a spam relay. That didn't happen.
Also, I don't think it's even controversial to say "it is currently easier to find vulnerabilities in OSX than it is to find vulnerabilities in Windows." Mac OS X contains a lot of open source, Windows is a proprietary black hole.
Dino didn't compromise Mac OS X, he apparently compromised the Java plugin, something that is common to many platforms. It was not easy or quick to discover, and required user interaction to set in motion.
Saying that staged event is somehow in the same league as Microsoft's Windows crisis is just plain credulity.
The "Macnorati" are not saying Macs are impossible to crack, only that Mac security is better IN THE REAL WORLD compared to Windows. Even Windows cheerleader Paul Thurrott admitted that. There are ZERO MAC VIRUSES.
At some point, you have to compare the theories you want to believe in with the truth: THERE ARE NO MAC VIRUSES. Change your tune appropriately.
Since I haven't noticed a single criticism from anyone on your site that seems geniune and straighforward, I'll leave you at it to publish whatever information you like. I don't understand the interest and point in refuting the truth and insisting white is black, and I'm tired of seeing you stuff words in my mouth. Either your operation is very disingenuous, or your group collectively has poor reading comprehension.
If you read my article and came away with the idea that "I'm convinced that browser findings are unimportant," I have a hard time having a dialog with you.
Also, I never suggested that "iTunes Music Store is the premier target for attackers," only that it is a known, high profile target running Mac servers. I also included Apple's other web stores. I believe Apple's site is in the top ten most heavily trafficked sites, and the iTS is certainly a target hackers are motivated to exploit. Why would hackers target Limewire? That's absurd. What is there to get that isn't already available? Are you intending to have a meaningful discussion or just throwing mud furiously?
iTS demonstrates the fallicy of saying that Macs aren't under attack and that nobody has ever tried. It's not true, so stop repeating it.
Recall that a worm specifically targeted the BlackIce Defender firewall. Market share has little to do with incentive. It's all about reward vs risk.
@ Dave
You can quibble about Corvettes and what car gets stolen most, but you're missing the point. I wasn't proving a point about GM, I was making an analogy between cars that get stolen and computers than are broken into. Again, its reward vs risk. It is not about quantity.
I already pointed out the difference between System 7 and DOS: One was designed for an appliance computer, the other for PCs chatting amongst themselves on a wide open LANManager office. Apple could bolt on network funtions onto the Mac, but Microsoft has had major problems trying to wrap Windows in diapers to slow the amount of crap flying in and out of its open pores.
Dino's attack compromized the security of the Mac, but he only gained user level access. I don't want people being able to read my files, but that's a far cry from being able to install malware or turn the machine into a spam relay. That didn't happen.
Also, I don't think it's even controversial to say "it is currently easier to find vulnerabilities in OSX than it is to find vulnerabilities in Windows." Mac OS X contains a lot of open source, Windows is a proprietary black hole.
Dino didn't compromise Mac OS X, he apparently compromised the Java plugin, something that is common to many platforms. It was not easy or quick to discover, and required user interaction to set in motion.
Saying that staged event is somehow in the same league as Microsoft's Windows crisis is just plain credulity.
The "Macnorati" are not saying Macs are impossible to crack, only that Mac security is better IN THE REAL WORLD compared to Windows. Even Windows cheerleader Paul Thurrott admitted that. There are ZERO MAC VIRUSES.
At some point, you have to compare the theories you want to believe in with the truth: THERE ARE NO MAC VIRUSES. Change your tune appropriately.
Since I haven't noticed a single criticism from anyone on your site that seems geniune and straighforward, I'll leave you at it to publish whatever information you like. I don't understand the interest and point in refuting the truth and insisting white is black, and I'm tired of seeing you stuff words in my mouth. Either your operation is very disingenuous, or your group collectively has poor reading comprehension.
1 year ago
in Mac Punditry and The Office Paradox on Matasano Chargen
Hi I wrote the article you are criticizing.
A remote vulnerabilty is one where attackers are able to access a machine remotely. There doesn't seem to be much real confusion on that point.
In the case of the CanSecWest Macs, an automated "user" had to click on a URL causing a local Java exploit, which opened up the potential for a remote user to gain access to a user level file.
I took issue with calling it a remote exploit because it wasn't a remote exploit. It was an exploit of user behavior which opened up the potential for a remote exploit.
If a user turns on file sharing with a blank password, it is not a "remote exploit" if someone reads their files. It is a locally opened security hole.
If the CanSecWest Macs had been directed to a malformed graphic that caused Safari to arbitrarilly execute code (like the flaw discovered in Vista), then yes, that would be a remote exploit via the browser.
That didn't happen.
--
Regarding your other comments, I referenced school populations full of Macs as a high density installation of Mac systems, in an environment where script kiddies could run wild.
But that isn't happening. Clearly, the arguement that Macs are too uncommon to warrant interest by attackers is a spurious one.
During the decade of System 7 and Mac OS 9, there were a few Mac viruses, but they were really only a problem when working with shared files. Networked Macs didn't have significant security problems because they didn't allow remote access by default. That's why the Army moved its webservers from NT to Classic Macs running WebStar. The only port open was 80.
While the Classic Mac OS "didn't have security" in the sense of system enforced file or user permissions, it also didn't have open ports listening for LANMan chat, nor did it ship with insecure protocols like SMB running.
Your description of the classic Mac OS isn't really accurate; the old Mac OS was more secure than DOS+Windows, and even NT in practical applications such as serving web pages without being taken over and vandalized.
No amount of artificial C2 Security badges made NT secure in the real world.
Your tangent about Corvettes is odd; I dont know where you were going with that. The point I made seems pretty clear: people don't steal the most common cars because they are there, they steal things that offer them some sort of value with minimal effort.
That's why car "security systems" work. They aren't impossible to get around, but they make attacking the car more dangerous and slower, making other, easier targets appear more attractive.
Similarly, if Macs were easy to target, they would be used to propagate viruses and spam too, just as they can be used to transmit Word macroviruses today.
You blow off the example of Apple's iTunes Store servers, which we know are under regular attack but have not been compromised. Why?
How many massive examples of secure installations are needed to support the fact that Macs are in fact regular subjects of attacks, they just hold up better?
That's not to say Macs can't be compromised, only that it's a myth to say that Macs aren't under attack because their numbers don't compare to PCs. We know that there are significant installations of Macs that are attacked but not owned, and that they are regularly holding up in high volume Enterprise environments.
If you're not aware of the scale of the iTunes Store servers, I'd suggest examining how it is that Macintosh servers are running the largest media download servers in the world, with hundreds of thousands of thin clients running concurrent sessions buying songs, previewing content, and managing accounts.
As for vulnerabilities in Word for Mac, there are known problems with macros and VB for Office that translated to the Mac because it is the same platform. If Microsoft ported Windows to PowerMacs, it would bring all the Win32 problems with it.
Surely you realize that Office for Mac is written to Mac APIs, not Win32?
Windows code quality most certainly is part of the problem behind Microsoft's security nightmare, but so is Microsoft's reliance on proprietary development. There are also factors Microsoft can't control: bad third party software, for example.
A remote vulnerabilty is one where attackers are able to access a machine remotely. There doesn't seem to be much real confusion on that point.
In the case of the CanSecWest Macs, an automated "user" had to click on a URL causing a local Java exploit, which opened up the potential for a remote user to gain access to a user level file.
I took issue with calling it a remote exploit because it wasn't a remote exploit. It was an exploit of user behavior which opened up the potential for a remote exploit.
If a user turns on file sharing with a blank password, it is not a "remote exploit" if someone reads their files. It is a locally opened security hole.
If the CanSecWest Macs had been directed to a malformed graphic that caused Safari to arbitrarilly execute code (like the flaw discovered in Vista), then yes, that would be a remote exploit via the browser.
That didn't happen.
--
Regarding your other comments, I referenced school populations full of Macs as a high density installation of Mac systems, in an environment where script kiddies could run wild.
But that isn't happening. Clearly, the arguement that Macs are too uncommon to warrant interest by attackers is a spurious one.
During the decade of System 7 and Mac OS 9, there were a few Mac viruses, but they were really only a problem when working with shared files. Networked Macs didn't have significant security problems because they didn't allow remote access by default. That's why the Army moved its webservers from NT to Classic Macs running WebStar. The only port open was 80.
While the Classic Mac OS "didn't have security" in the sense of system enforced file or user permissions, it also didn't have open ports listening for LANMan chat, nor did it ship with insecure protocols like SMB running.
Your description of the classic Mac OS isn't really accurate; the old Mac OS was more secure than DOS+Windows, and even NT in practical applications such as serving web pages without being taken over and vandalized.
No amount of artificial C2 Security badges made NT secure in the real world.
Your tangent about Corvettes is odd; I dont know where you were going with that. The point I made seems pretty clear: people don't steal the most common cars because they are there, they steal things that offer them some sort of value with minimal effort.
That's why car "security systems" work. They aren't impossible to get around, but they make attacking the car more dangerous and slower, making other, easier targets appear more attractive.
Similarly, if Macs were easy to target, they would be used to propagate viruses and spam too, just as they can be used to transmit Word macroviruses today.
You blow off the example of Apple's iTunes Store servers, which we know are under regular attack but have not been compromised. Why?
How many massive examples of secure installations are needed to support the fact that Macs are in fact regular subjects of attacks, they just hold up better?
That's not to say Macs can't be compromised, only that it's a myth to say that Macs aren't under attack because their numbers don't compare to PCs. We know that there are significant installations of Macs that are attacked but not owned, and that they are regularly holding up in high volume Enterprise environments.
If you're not aware of the scale of the iTunes Store servers, I'd suggest examining how it is that Macintosh servers are running the largest media download servers in the world, with hundreds of thousands of thin clients running concurrent sessions buying songs, previewing content, and managing accounts.
As for vulnerabilities in Word for Mac, there are known problems with macros and VB for Office that translated to the Mac because it is the same platform. If Microsoft ported Windows to PowerMacs, it would bring all the Win32 problems with it.
Surely you realize that Office for Mac is written to Mac APIs, not Win32?
Windows code quality most certainly is part of the problem behind Microsoft's security nightmare, but so is Microsoft's reliance on proprietary development. There are also factors Microsoft can't control: bad third party software, for example.
1 year ago
in Hot Off The Matasano SMS Queue: CanSec Macbook Challenge Won on Matasano Chargen
InfoWorld Publishes False Report on Mac Security
"Nancy Gohring, writing for InfoWorld, delivered a misleading report yesterday on a Mac security exploit contest held at the CanSecWest conference in Vancouver, BC.
"In her defense, it appears likely that Gohring did not write the headline for her InfoWorld article, which described the contest winner as being “able to remotely break into a Mac as part of a contest designed to illustrate security flaws in OS X.” That part was simply wrong.
"Whoever did write the headline must have been smoking weed in celebration of 4/20, because Gohring’s article clearly described a local exploit. There’s a big difference between the remote exploits that made Windows infamous for its insecurity and a local exploit of an application."
More info under a series of subheadings:
Gohring's Mac Security Myths
Microsoft’s Security Embarrassment
Mac OS X and Security
The Mac Minority Malware Myth
Why Macs Aren’t Sending You Spam
"Nancy Gohring, writing for InfoWorld, delivered a misleading report yesterday on a Mac security exploit contest held at the CanSecWest conference in Vancouver, BC.
"In her defense, it appears likely that Gohring did not write the headline for her InfoWorld article, which described the contest winner as being “able to remotely break into a Mac as part of a contest designed to illustrate security flaws in OS X.” That part was simply wrong.
"Whoever did write the headline must have been smoking weed in celebration of 4/20, because Gohring’s article clearly described a local exploit. There’s a big difference between the remote exploits that made Windows infamous for its insecurity and a local exploit of an application."
More info under a series of subheadings:
Gohring's Mac Security Myths
Microsoft’s Security Embarrassment
Mac OS X and Security
The Mac Minority Malware Myth
Why Macs Aren’t Sending You Spam
2 years ago
in Zune: Why Apple Should Care on Webomatica
I'm interested in your ideas because I'm writing about the Zune too.
Unfortunately, I think you have some errors in your logic:
- its a myth that Apple had a huge share of the PC market and lost it because of Windows. Actually, Microsoft pioneered many new markets with the PC, leaving Apple in the home/creative niche they were already in. Apple didn't lose market share, they just didn't move into dumb terminals and cash registers and ATMs.
- the only backlash about Fairplay is theoretical. Zune, PlaysForSure and everything else Microsoft has touched has been critisized for draconian DRM that serves to destroy the product.
- prior to the iPod becoming "Wireless" it would need iTunes built in. Currently, the iPod is not really a computer, but more of an appliance. The Zune is a full WinCE handheld, with all the baggage AND features that entails. They are very different strategies.
www.roughlydrafted.com
Unfortunately, I think you have some errors in your logic:
- its a myth that Apple had a huge share of the PC market and lost it because of Windows. Actually, Microsoft pioneered many new markets with the PC, leaving Apple in the home/creative niche they were already in. Apple didn't lose market share, they just didn't move into dumb terminals and cash registers and ATMs.
- the only backlash about Fairplay is theoretical. Zune, PlaysForSure and everything else Microsoft has touched has been critisized for draconian DRM that serves to destroy the product.
- prior to the iPod becoming "Wireless" it would need iTunes built in. Currently, the iPod is not really a computer, but more of an appliance. The Zune is a full WinCE handheld, with all the baggage AND features that entails. They are very different strategies.
www.roughlydrafted.com