OS X Patches, Secunia Stats

Yesterday, Apple patched the DNS bug everyone was so worried about a few days ago (because some security researcher got ticked off that his name hadn’t been mentioned in dispatches). Time to revisit the whole “Mac OS X is less secure than we think” meme.

Remember, this is all versions of OS X since January 2003 vs. Windows Vista. (If I wanted to be nasty, I’d show the graphs for Windows XP Professional, various versions of Office, etc.. (At least Secunia has stopped treating each Microsoft SKU as a different platform.)

According to Secunia*, the most severe flaw in OS X in the last couple of years is this. If you’d like to skip reading it, the basic idea is this — there was a bug in Apple’s zip utility that would execute a specially tailored payload in a zip archive. So if you were using Safari with default preference settings and you clicked a link, the zip archive would download to your hard disk, get decompressed, and — potentially — arbitrary code could execute. Note that this is not a “Trojan Horse” in the sense that you don’t need to type in a password or deliberately do anything except click a link in a web page, so this is pretty severe.

This is rated by Secunia as extremely critical — do you ever get the feeling that security researchers should be given a free thesaurus? — (“5” on their 5 point scale), even though (1) it requires some user action (it’s not like port vulnerabilities in Windows which allowed worms like BLASTER to simply take over a PC as soon as it was hooked up to the internet) and (2) there are no known instances in the wild.

Windows XP and Vista have a bunch of vulnerabilities rated highly critical (4/5) which are equally nasty. E.g. buffer overflows in the way Windows handled images in web pages that could cause arbitrary code execution. Casual user activity (browsing pages) could, theoretically, result in arbitrary code execution in user space. Apparently, for a problem of this severity to be rated extremely critical for Windows there need to be known examples in the wild.

Presumably, a vulnerability on the Mac requiring zero user action which obtained root access and had instances in the wild would rate mindbogglingly critical (8/5) on Secunia’s scale for consistency. I guess when there’s finally a worm out there that can compromise Macs, heads will explode.

* Why do I keep using Secunia? Because as security research firms go, they’re not quite as grotesquely anti-Mac as typical, and they offer links to embed live versions of their graphs.

Post Script

Apple’s patch doesn’t fix the DNS bug properly. It’s worth noting that this is only going to hurt servers (since most people don’t use OS X desktops as DNS servers, and indeed it’s not switched on by default) so technically this is a server bug. Still, it needs fixing and it’s another misstep by Apple (along with the whole MobileMe fiasco) in a short period.

Post Post Script

Also note that Apple’s initial patch did fix the vulnerability in OS X server (and, apparently, in server-like devices such as Airport Extreme), so basically all the whining was about nothing. It’s one thing to conflate OS X (desktop) with OS X (server) in counting bugs, and another to complain about OS X having an unpatched defect in a service that’s turned off by default and very few people would have switched on.

OS X Everywhere

Here’s my contribution to rampant speculation on the “Product Transition I Can’t Get Into” referred to in Apple’s recent Earnings Call. Let’s see how good a pundit I am. Now, there are many things I’d like the transition to be but which are highly unlikely. I may publish the long-winded article I’ve written on the subject eventually, but I thought I’d keep this brief…

By November, every iPod — except possibly the Nano — will be an iPod Touch of some kind, running OS X. To achieve this, Apple will have to drop the basic iPod Touch price down to $149 or less. iPod Touches are kind of expensive to make, so this will hurt margins and cannibalize some higher margin products.

The upside: within 12-24 months, Apple will — arguably — have the dominant computing platform on the planet — the largest games platform except for the PS2, the largest mobile computing platform except for the OSes embedded in commodity cell phones, and the largest platform that, as a whole, can natively run apps compiled against a single OS toolbox API.

For bonus points, they can merge the AppleTV into the Mac Mini (and put AppleTV functionality into every Mac) or simply expose extra functionality in [new?] AppleTVs (such as the ability to run iPhone games apps).

Now, I’m not sure this is a Good Thing™. Apple has, historically, been a pretty arrogant company. (Look at its treatment of game developers from 1985-2000.) I’m not sure whether the world would be a better place with Apple in the driver’s seat, but this is, I think, the plan: OS X everywhere.

Post Script

Another rumor I’ve seen is that there’ll be a MacBook Touch which will presumably draw attention away from Apple’s very successful MacBook Air and also the MacBook Pro (especially if the MacBook Touch has good stylus support). A MacBook Touch would help dissolve the dividing line between Mac and iPhone applications (it’s easy to imagine that some apps will appear that are, essentially, identical on both platforms) and turn OS X into a more unified platform.

Does Apple have an “Out” Clause for its partnership for AT&T?

The main problem with the iPhone 3G launch appears to have been AT&T. AT&T didn’t ship enough phones to its stores, and wasn’t able to handle activations fast enough. If you look at the number one reason stopping would-be iPhone users from buying one, I’m pretty sure it’s AT&T.

Our last experience with AT&T was having our account padded with a bunch of services we didn’t ask for (in fact explicitly refused) but not noticing it because during the first two months on a contract it’s impossible to figure out your bill (it has all kinds of whacky one-off items) and then not being able to turn off the features we didn’t want and weren’t using when we discovered them for over six months, and then not being able to be refunded for them afterwards. When we switched to Verizon (whom we hate for different reasons) AT&T reps called us to ask if there was anything they could do to change our minds. Well, you could go back in a time machine and not rip us off.

Generally, a contractual agreement between business partners, such as Apple’s exclusivity deal with AT&T, has “out” clauses for such things as non-performance. Recently, for example, Paramount was sued by licensees of the Star Trek brand for producing lousy Star Trek series and destroying the value of the brand. If a famous athlete is discredited for taking steroids or sexually assaulting someone he/she will lose his/her endorsement contracts. Perhaps the most germane example I can think of is Apple’s iTunes licensing agreement with the big music studios which gives them an “out” if Apple fails to address any cracking of iTunes DRM within 30 days.

Just how badly can AT&T screw things up and not give Apple an early “out” from their exclusivity deal? It almost makes me wonder if Apple’s incredible efforts to put iPhones in their stores were an attempt to force AT&T to fail some benchmark. (It would also explain AT&T’s deliberate understocking.)

iPhone++ and DotMac++

So, it’s launch day redux. Of course I’m not buying one today (and don’t have the original). Of course I’ve been reading about it obsessively. Some reactions to the random stuff I’ve read…

MobileMe has been down since they flipped the switch. Except some folks say it’s up. Well golly gee, how to resolve this? I went to the website and signed up for a free trial. It seems pretty up to me. In a truly wonderful example of his evenhandedness, yesterday Paul Thurrott managed to compare the day or two of outages in the launch of me.com to the Windows Vista delay.

After playing with me.com for a few minutes, here are my impressions:

  • The calendar was incredibly slow and buggy.
  • Overall — if they can handle the load — this is the best web app experience ever. (Even better than 280slides.com.) Handling the load is obviously non-trivial, however.
  • Calendar app failed because of server issues (but the web app continued to work and be responsive, it just generated “could not save changes” error messages).
  • They do show progress on file uploads.
  • In general, they wrap file uploads (a sore point with web apps) better than I’ve seen it done anywhere — it feels much more desktop-app-like.
  • The mail app is very nicely done.
  • Flicker and Picasa allow you to email photos to a gallery, but setting it up in me.com is insanely easy. I emailed photos to a gallery while I had it open in my browser and it live updated.

I’m getting sick of “the new iPhone really costs $360 more than the old one” meme derived by adding $240 for the $10/month extra you pay for 3G (vs. EDGE) plus $240 extra you’d pay if you wanted to keep the same amount of free SMS messages as the old plan and … I dunno not being able to add. Let’s compare Apples to Apples. You’re getting far more bandwidth. EDGE is literally like dialup. 3G is literally like broadband… well, faster dialup anyway. And iPhone 2.0 supports AIM and similar third-party instant messaging options, so why use SMS at all? Finally, Apple’s new iPhone pricing is a much fairer comparison to competitors. Where were all the “it’s really $Math.random()*480 more” assholes when Apple was selling the iPhone for a total 2 year cost lower than Motorola’s “$99” Q?

Then there’s the Joy of Tech’s “an iPhone really costs you a million dollars” strip. I’d forgive it if it were actually funny. Eating costs a million dollars too. So does watching TV. Here — in no particular order — is what an iPhone (when I finally cave in and get one) will do for me:

  • I’d like to think I’ll give up carrying laptops around, but I probably won’t. (At least I can stop carrying my laptop to the toilet to read. I sure am glad Kevin Smith does this too — I thought I was the only one.)
  • When I’m in a store trying to decide whether to buy a game or book, I’ll actually be able to look up a review online. So many things I would never have purchased if I could have read reviews in the store.
  • If I can’t find a decent free front-end for Gutenberg.org’s library, I’ll write one and give it away.
  • It will replace my iPod. I don’t care if I can’t carry my entire music library around with me, because I won’t have to carry my iPod around with me.
  • It will replace my gazillion random notebooks that I’m always losing. My RAZR has a note-taking function somewhere — I don’t use it. The value of this is pretty much incalculable. (I was a Newton user and for a period of four years I have all my meeting notes on a Newton in searchable form. I don’t use the Newton but keep it around for its data.)
  • I will actually use it as an organizer and contact list.
  • I will actually be able to get Photos from it to my computer without paying my phone service provider.
  • I will actually use a custom ringtone because Apple doesn’t gouge you for them.
  • It will replace my Nintendo DS which I never use because the game selection for the DS is horrible. (Basically there’s nothing on the DS I consider worth playing except for old Final Fantasy games and (yawn) Mario. I think the average review rating for DS games on GameSpot is something like 5.5, and generally 9/10 from GameSpot == kind of OK.)
  • I actually want to develop iPhone apps. I have never had a desire to develop apps for any other cellphone. Heck, I’d like to develop an IDE that runs on an iPhone (a fascinating challenge).
  • It will stop me from pining for pocket calculators.
  • It may even stop me pining for an updated Newton. Nah.
  • It will allow me to stream internet radio. As a colleague at work pointed out, for $10/month (assuming you’re in a 3G coverage area, which I’m not) it replaces your $10/month XM/Sirius habit — if you have one. (We’ve got XM for free for 3 months with the new twinmobile, but we won’t be extending it since the UI for finding stations is so awful we can’t be bothered to use it.)

So, whatever the iPhone costs, it costs less than the stuff it obviously replaces (phone, iPod, portable DVD player, kindle, decent calculator, notepads, organizer, portable game, magazines, newspapers) and provides new capabilities and synergies I don’t currently have and haven’t even thought of (like being able to read websites while waiting in the checkout lane at a super market, or reviews while visiting GameStop). To put this in perspective — our current family phone plan through Verizon (three handsets) costs ~$100/month. Two iPhones plus a normal handset will cost us $120/month. Maybe a bit more if we go for more minutes.

Here’s a couple of really simple examples of how much this doesn’t suck:

  • My DS has a sucky browser (that I paid $30 for). It’s tragically bad. (The only reason I didn’t demand a refund is that I use it as a worst case scenario for testing website compatibility.) And it occupies BOTH slots in the Gameboy. DS games cost $20-40 and there’s a lousy selection in most stores. The iPhone already — as of launch day — has a better game selection than the DS, I can buy them on demand, they cost $3-10, and they don’t require me to carry a bunch of cartridges around.
  • The Kindle lets me view certain selected periodicals. (I’ve not bought one and never will.) It’s also big, ugly, and slow. If I want to read Penny-Arcade on it, I am SOL (even ignoring its monochrome display).
  • My iPod, cell phone, point-and-shoot camera*, and Nintendo DS — aside from being separate devices — all happen to have different charger bricks. Incidentally, the total cost of the preceding was $200 + $79 + $230 + $110 (+ $120 or so for games). If I owned a Kindle ($359) and a portable DVD player (~$100) they would have two more charger bricks. My Newton (which the iPhone will eventually replace) also has a charger brick. The iPhone hasn’t got the Kindle or DS’s battery life, but how much more likely am I to have a charger handy?

* Actually the one thing the iPhone definitely won’t replace is my point-and-shoot (7MP with 10x Leica zoom lens), but it will be a darn sight more useful than my RAZR’s camera (which I do use, but can’t get photos from). But iPhone + Nikon DSLR is less junk to carry around than my usual pile of junk without the Nikon.

Despite this starry-eyed view of the iPhone, I’m not rushing out to buy one, but my wife is ticked that all her grad students already have them… Social comparison > Logic!

Safari 3.1.1

Safari Web Inspector

My friend Andrew pointed out in my post on FireFox 3.0b5 that it was too late to get him to try it, since he’d just given up on FireFox, switched to Safari, and wasn’t looking back. I’ve just made the switch too, after finding FireFox 3.0b5 both just as unstable as and subject to some annoying rendering bugs and random thunks. I can’t just abandon FireFox — the web developer and FireBug extensions are just too damn useful — but it’s not going to be my daily browser for the foreseeable future.

For a long time, Safari has had the distinction of being producing the best looking web pages, and running JavaScript really fast (whether it’s the fastest is a matter of debate, but it sure feels quick). It has a better feature set than Internet Explorer (canvas support, anyone?), and supports a bunch of CSS extensions, such as shadows under text, that no-one else does.

And, frankly, it has the cleanest and most attractive user interface.

Most importantly for me, Safari’s Develop menu (which used to be its Debug menu) offers something of an alternative to the Web Developer plugin for FireFox. Although Drosera (the Safari JavaScript debugger) has been around for some time, it’s not yet part of the Safari release, and getting it is something of a chore. You need to download the Nightly Build (source code) and then “attach” Drosera to either Safari or WebKit (the open source version of Safari). Even if I could be bothered, Safari still lacks a few of the Web Developer plugin’s best features, such as the ability to see the generated HTML you’re looking at.

But, as a basic, daily browser — I’m afraid Safari has FireFox beat for now.