Monthly Archives: April 2006

Weapons of Mass Destruction Part Two – You didn’t convince me!

So I guess I expected some negative comments and reaction to my malicious code/virus post and I got it but I am amazed at how dangerous some of the opinions are in the comments:

While one could write some form of malware for OS X, it’s just really, really hard to get it to spread without user intervention. Only Windows has, built-in and enabled by default features that make spreading malware so easy.

Not to go all Penn and Teller on you but thats bullshit. Why?

Safari, the web browser that comes pre-installed and default on OS X comes with an option to automatically execute files that have downloaded. This option is switched on by default and has already been used to execute shell scripts via downloads of seemingly “safe” files like JPG images and MOV movies. (Thanks to Faruk Ateş for the article link).

Seems like a reasonable built-in and enabled by default mechanism for executing malicious code to me.

It also scares me that it seems to be a common misconception that because OS X is forked from BSD that it is automatically secure:

OS X is based off of UNIX, which has been around for 30something years without any really huge, epic, windows-style virus outbreak.

Safety of Max OS X is largely based on BSD.

Darwin has been heavily modified and added to since it was that BSD that has been out there for years. Don’t get me wrong, I am not saying that it is insecure, but I am saying it is foolish to just assume that it is because a version of it was, once upon a time because every change made since that fork has the possibility of introducing a new security issue.

That’s not even the worst of it though, Darwin is only a small part of the software that gets installed with Tiger and all of that additional functionality has a chance of containing security issues. Consider as well that I can go out to a web site, download any old .dmg, drag it to my applications folder and run it without being prompted to elevate my privileges.

The final point that came up a few times in comments on the previous post that I want to tackle is the argument of “Well, what would an OS X virus checker actually check for? There are no viruses!”

Viruses or worms for any operating system only succeed if they are allowed to propagate quickly and easily. You or I or anyone else who is likely to be reading this blog would almost certainly know within a matter of a few hours of getting to a computer if some outbreak happened. However, it is the people who wouldn’t know or care about it that would do the damage. The mothers who just use a computer to check e-mail and wonder what the little bouncing circle is that sometimes shows up. The graphic design professionals that really don’t care how their software works as long as they can express themselves.

The point of virus prevention software would be to get a mechanism out there onto every Mac that would be ready to receive information/prevention information from a central service. The software update service is a good start to this but only covers vulnerabilities in system software and does not actively check for malicious code that attempts to execute. The important point is that those people who don’t care what a virus or a worm is, don’t need to care.

Note: There are 2 important points that I would like you to consider before commenting on this post. Firstly this is in no way a comparison with Windows and I am not saying that any of this is better or worse than windows and I would like to keep the comments focused on an unbiased view of Mac OS Security rather than saying why Mac OS security is better than Windows security. I am also not saying that Darwin or OS X are full of security holes and bugs because it obviously is not true. What I am saying is that this idea that it is either secure by default or somehow not at risk from attack is wrong wrong wrong and the attitude of Mac users needs to change from “it can’t happen to me”.

Technorati Tags: , , , , ,

Saturday Morning Multi-Coloured Swap Shop

So after the SubEthaEdit give away the other day, MacZOT sent me two free registration codes instead of one so I have a spare :) So tell me how you would use it in a comment and put your e-mail address in (it won’t be published) and I will send the free code to the most worthy, creative or just plain fun use of it!

But! at the same time I am going to ask for something from you guys :) Does anyone have a spare Google Analytics invite? I signed up for their waiting list months ago but it doesn’t seem to be getting any attention so I would be really grateful to get hold of one if anyone has any spare (send them to dave@dvhome.co.uk).

Excuse the title as well, I was struck by a dose of nostalgia when suggesting this swap on a Saturday morning. If you aren’t 30-something from the UK you are forgiven for not getting it :)

Technorati Tags: , ,

The Mac has no Weapons of Mass Destruction but we should invade anyway!

So I was reading this post last night about switching from XP to Mac which covers this entire blog in one post! (well, kinda :)

It is a really good overview post of almost every commonly encountered piece of Mac OS X and has some nice recommendations in it but he makes a bold claim which I have heard many times both before and after switching and I have been meaning to cover on this blog.

If you never want to worry about viruses infecting your computer again to delete all your vital information, then perhaps the switch to a Mac is more worth your time than you think!

Surely it is naive of us all to simply assume that because there hasn’t been a virus that has been successfully distributed on Mac OS yet, that there never will be and it is only something that Windows users have to worry about! Ok so the competition to write a virus for the Mac was cancelled, but that doesn’t mean that there are not people actively writing malicious code for this platform.

Security updates are posted all the time for Mac OS (there have even been several in even the few weeks since I have had my Mac) so it certainly isn’t that the operating system is invulnerable to exploits. More importantly, as the usage of Mac OS increases (via Intel Mac’s, Boot Camp, etc) so the surface area of the platform also increases as does the number of people working on developing sucessful malicious code. It is a ticking bomb.

I know there are virus checkers available (ClamXav, Norton Anti-Virus, etc, etc, etc) that currently scan for known (Windows) viruses so that Mac’s don’t act as a conduit for those viruses even though they can’t run them themselves but wouldn’t it be better for the Mac community to spread a different message than “You don’t need a virus checker!” because on Windows, it took years of education and even direct operating system changes to condition users into recognising the need for a virus checker and making sure it was updated regularly. When it happens for Mac OS, we will have this fight to win from square one.

I will end this with my own bold claim (why not!). There are at this very moment people working on malicious code for Mac OS X (no, it’s not me!) and I believe that it is inevitable that Mac OS will be hit by a successful malicious attack in the next couple of years and I believe we should be preparing for it.

Discuss :)

Technorati Tags: , , , , ,

Someone hacked into my text editor and fixed my bug!

It isn’t often that you encounter an new idea, especially in the software world. A new type of application, one that you haven’t ever seen or heard of before in any shape or form. Something that makes you say “Wow”. It is even more remarkable when that application is a text editor!

Well, that’s what happened to me while attending O’Reilly’s ETech this year. I saw several people using what looked like a regular (even quite a plain looking) text editor, except that text was appearing in the document while the user sat back, hands far away from the keyboard.

I found out that application was called SubEthaEdit and it is a collaborative text editor.

Now, to skip slightly off the topic for a second. I have become completely addicted to TextMate (which I have another, half written blog post about :) and I will say right now that TextMate is my main programming editor at the moment because of it’s beautiful support for Ruby on Rails and while I am led to believe that SubEthaEdit makes a great programmers editor as well, that isn’t something I am qualified to talk about because I haven’t used it in that situation yet. So I won’t.

What I can talk about though are the collaborative editing features because this is what caused the “Wow”. So the lowdown is that either using Bonjour to find any other SubEthaEdit on a local network or by connecting to a remote address, several people can all edit the same text file, at the same time, in real-time. Multiple selections, multiple cursors, the whole nine yards. Unlike anything I have ever seen before.

At ETech, this was being used for note taking and as a compliment to IRC and I joined several LAN editing sessions during the conference and was able to see (and add to) notes that were being taken. That is an obvious use for this application but I have even heard it mentioned that it would be good for pair-programming… Now that is an interesting idea! Pair programming where the pair are not even in the same room? Would it work? Who knows, but with free VoIP (thanks Skype, and others) and SubEthaEdit then it would at least be possible. I would be interested to try it out and see how it works in practice (offers?). But even if not for pair programming, think of the possibilities here for debugging, for collaborative writing, for teaching. It is the instancy of the collaboration that is what makes the experience remarkable, the fact that you can literally work on the same line of text, see other people’s selection, see their cursor move. It has to be seen really (maybe I should do a ScreenCast).

Ok, so maybe my first sentence was a bit OTT and this app isn’t completely unique because yes, there are text editors and yes, there are wiki’s. But the fact remains that seeing this application for the first time was a real wow which is something I haven’t had when looking at software for a long time (on any platform). There is just nothing available on Windows (as far as I know) that does anything like this and that’s a loss for Windows users.

Note: So the reason that I picked today to blog about this? It is no secret. MacZOT are running a blogging thing where you can get a copy for free if you blog about SubEthaEdit today. I am firmly against the marketing tactic of just getting people to blindly link to your site/application and repeat marketing sound bites like parrots to get free stuff and I can promise you now that you won’t see that happen on this blog. But I already had something half written about SubEtha and I formed my opinion completely independently of the fact that I might get a free license out of this. Did my journalistic integrity survive this post? :D

Update: I did get a free copy of SubEthaEdit for posting this.

Technorati Tags: , , , , ,

Why Hasn’t E-Mail Been Covered Yet?

I have had a couple of mails recently asking me what I use for an e-mail client and if I like Mail.app and I guess up until yesterday the answer was that I didn’t know! I hadn’t loaded any e-mail client (apart from when I accidentally clicked a mailto: link and Mail launched :).

On Windows, I used GMail web-mail (and GMail tray notifier) for all of my home mail and Outlook 2003 (and Exchange 2003) at work. Previously, I have used Outlook Express, Eudora for Windows (a LONG time ago) and pretty much all versions of Outlook.

I have been thinking recently that it would be nice to have a desktop based mail application for reading my mail (GMail can supply your mail via POP3) so that for example, I can just click those mailto: links :) and these last couple of e-mail’s convinced me I should try it, so I set up Mail.app and let it download my full GMail archive via POP3 (~20,000 messages, yes it took a long time).

So, the short version of the story?

  • Q: Am I now using Mail.app to read my mail?
  • A: No.

Why?

Lack of decent conversation support! This is where GMail has really spoiled me, looking at a conversation in the default view in Mail.app the entire message list view could be filled entirely with the same thread. I found this so unusable after the beautiful conversation model of GMail. It seems like messages from the selected conversation are also highlighted in blue but I actually found this very distracting and it is quite innacurate, often linking things from the same person but with completely different subject lines or missing out half a conversation.

There is a very promising option on the View menu, “Organise by Thread”. This gets close to what is needed in that it collapses each conversation thread to one row in the message panel but then misses by using a tree view style approach that requires me to still look at every message separately.

Of course it wasn’t all bad, I really liked the implementation of smart folders which to me looks like Outlook 2003 search folders (I don’t know who got there first with this feature) but the execution of it in Mail.app is more usable than in Outlook and I managed to set up all of my mailing lists very easily. This feature is more functional than any similar feature I have seen before with the ability to run AppleScript etc on being triggered.

So I am back to GMail for now, I guess the fact that I would still prefer a web mail client over anything available on Windows or Mac shows just how much Google changed e-mail back on April fools day 2004.

Note: I am not 100% pure web-mail, I do use the GPeek widget to let me know when I have new mail. I tried a few widget’s and menu bar thingys for checking GMail and I found GPeek to be the most useful.

Technorati Tags: , , ,