Manage updates with the Download AppJuly 5, 2006 5:35 PM PDT
Apple widget checks raise eyebrows
- Related Stories
-
Apple updates Mac OS to squash bugs
June 27, 2006 -
Microsoft: Here's how to halt WGA alerts
June 27, 2006 -
Microsoft draws fire for stealth test program
June 13, 2006
Apple released an update to Mac OS last week that fixed a few bugs and added some features. One feature Apple added was described as the ability to verify that a widget was an authentic program. Widgets are small software programs that provide Mac users with little bits of useful information, like the weather report or stock tickers.
Some bloggers have become concerned that Apple is collecting information without their authorization, after the recent furor caused by Microsoft's Windows Genuine Advantage Notification program. Microsoft inserted a prerelease program in a regular Windows update that checks Windows PCs to make sure they are running a genuine copy of the operating system, but the company included that beta feature without telling users and has since posted instructions on how to remove it after a backlash.
Apple's Dashboard Advisory verification software was designed as a security feature, a company representative said. "Apple takes protecting user privacy very seriously. The Dashboard Advisory feature is a security tool that ensures that the correct version of a widget has been downloaded from a third-party site and no personal information is transmitted back to Apple," the company said in a statement.
Dashboard Advisory looks at just widgets, not the rest of the operating system. Widgets available on Apple's Downloads page are actually hosted by the companies that developed the widgets, not Apple. The verification feature is designed to ensure that the widget advertised on Apple's Download page is the same widget that gets installed on a Mac, or to prevent someone from spoofing a link to trick a user into downloading a different program.
A Mac with the latest version of Mac OS, version 10.4.7, sends a HTTP (hypertext transfer protocol) GET command to Apple's servers to verify that the widget is authentic, the company representative said. There is no way to turn off the transmission, which takes place about every eight hours, and the user is not prompted before the transmission is made.
See more CNET content tagged:
Apple Computer, company representative, Apple Mac OS, Apple Macintosh, dashboard
104 comments
Join the conversation! Add your comment
hours.
Widget's can make operating system calls through the system
extension. Of course they can only do things that the user has
security to do.
Let us imagine there is a privilege execution problem in a low
level command. This is a traditional way to gain control of a Unix
box at a level higher than you are entitled to.
Or easier still, let us imagine a widget that prompts the user to
enter their admin account/password to authorise something that
sounds realistic ('install new version').
Let's also consider that widget's are mostly written in JavaScript
which has a far higher development audience than Objective-C,
and that most people think widgets are fun things that can't do
any harm.
At the simplest level someone could write a widget that just did
an rm * on your iTunes and iMovies collection. It would be your
fault for trusting and running it, and it would not last long
before word go around, but most end users expectation is that a
widget wouldn't do that sort of thing. Psychology is the biggest
thing hackers exploit.
Given all that, perhaps Apple wanted to put in a way to block /
kill bad widgets, without actually announcing a new security tool
for Dashboard. (CNET Headline 'Apple Dashboard Security Flaw'
- a proof of concept Trojan widget has been created by a
security researcher).
hours.
Widget's can make operating system calls through the system
extension. Of course they can only do things that the user has
security to do.
Let us imagine there is a privilege execution problem in a low
level command. This is a traditional way to gain control of a Unix
box at a level higher than you are entitled to.
Or easier still, let us imagine a widget that prompts the user to
enter their admin account/password to authorise something that
sounds realistic ('install new version').
Let's also consider that widget's are mostly written in JavaScript
which has a far higher development audience than Objective-C,
and that most people think widgets are fun things that can't do
any harm.
At the simplest level someone could write a widget that just did
an rm * on your iTunes and iMovies collection. It would be your
fault for trusting and running it, and it would not last long
before word go around, but most end users expectation is that a
widget wouldn't do that sort of thing. Psychology is the biggest
thing hackers exploit.
Given all that, perhaps Apple wanted to put in a way to block /
kill bad widgets, without actually announcing a new security tool
for Dashboard. (CNET Headline 'Apple Dashboard Security Flaw'
- a proof of concept Trojan widget has been created by a
security researcher).
This is a simple user error, nothing else.
No news here people, move along...
the sync pref isn't otherwise available. And it is not the case that
Apple's widget probe only applies to people with .Mac accounts. I
don't think it is a big issue, but it is another example of Apple
treating customers like adolescents.
nicmart's right. It's Apple treating their customers like children, which is where the real "not news" is. Apple is control, always have been, always will be.
This is a simple user error, nothing else.
No news here people, move along...
the sync pref isn't otherwise available. And it is not the case that
Apple's widget probe only applies to people with .Mac accounts. I
don't think it is a big issue, but it is another example of Apple
treating customers like adolescents.
nicmart's right. It's Apple treating their customers like children, which is where the real "not news" is. Apple is control, always have been, always will be.
This feature of 10.4.7 - UNLIKE WGA - only checks on the
validity of third party widgets on your dashboard.
It does not "snoop" on your operating system, record your
keystrokes, or do any other tinfoil hat wearing stupid post which
i'm sure will make its way to this comments section soon
enough.
But hey, don't let that stop you from your 15 minutes of ranting
fame.
Just like WGA, however, Apple did not fully or clearly detail what it is you were downloading, nor the fact it would dial out on a regular basis, nor what it was sending.
You Apple apologist truly know no bounds. Almost any action if vilified or ignored, simply because of who is doing it.
This feature of 10.4.7 - UNLIKE WGA - only checks on the
validity of third party widgets on your dashboard.
It does not "snoop" on your operating system, record your
keystrokes, or do any other tinfoil hat wearing stupid post which
i'm sure will make its way to this comments section soon
enough.
But hey, don't let that stop you from your 15 minutes of ranting
fame.
Just like WGA, however, Apple did not fully or clearly detail what it is you were downloading, nor the fact it would dial out on a regular basis, nor what it was sending.
You Apple apologist truly know no bounds. Almost any action if vilified or ignored, simply because of who is doing it.
<a class="jive-link-external" href="http://blog.wired.com/cultofmac/index.blog?entry_id=1515043" target="_newWindow">http://blog.wired.com/cultofmac/index.blog?entry_id=1515043</a>
<a class="jive-link-external" href="http://blog.wired.com/cultofmac/index.blog?entry_id=1515043" target="_newWindow">http://blog.wired.com/cultofmac/index.blog?entry_id=1515043</a>
It does amply demonstrate, the age of the user's absolute control of his or her computer as an independent entity!, is rapidly coming to an end though!, should either Apple or the monolith like Microsoft gain the upperhand!
It will always remain about free choices and fair use!
It does amply demonstrate, the age of the user's absolute control of his or her computer as an independent entity!, is rapidly coming to an end though!, should either Apple or the monolith like Microsoft gain the upperhand!
It will always remain about free choices and fair use!
<a class="jive-link-external" href="http://www.techknowcafe.com/content/view/551/43/" target="_newWindow">http://www.techknowcafe.com/content/view/551/43/</a>
This is a check for updates. The sort of check almost every
piece of modern software has a feature.
It can be disabled, it doesn't report information to the company,
and there is no reason to have it as such as prominent headline,
except that CNET knows the "controversy" will draw page views.
Whatever. That's the business model of the blog: spread FUD
and get clicks.
This is a check for updates. The sort of check almost every
piece of modern software has a feature.
It can be disabled, it doesn't report information to the company,
and there is no reason to have it as such as prominent headline,
except that CNET knows the "controversy" will draw page views.
Whatever. That's the business model of the blog: spread FUD
and get clicks.
<a class="jive-link-external" href="http://www.techknowcafe.com/content/view/551/43/" target="_newWindow">http://www.techknowcafe.com/content/view/551/43/</a>
This is a check for updates. The sort of check almost every
piece of modern software has a feature.
It can be disabled, it doesn't report information to the company,
and there is no reason to have it as such as prominent headline,
except that CNET knows the "controversy" will draw page views.
Whatever. That's the business model of the blog: spread FUD
and get clicks.
This is a check for updates. The sort of check almost every
piece of modern software has a feature.
It can be disabled, it doesn't report information to the company,
and there is no reason to have it as such as prominent headline,
except that CNET knows the "controversy" will draw page views.
Whatever. That's the business model of the blog: spread FUD
and get clicks.
extension my computer - want to communicate with. Apple did
not offer a choice, but failed to mention that there is a 'phoning
home' feature in OS 10.4.7. If they would have let everybody
know about it, and would have provided their customers with an
option to turn it off, nobody would feel violated. As it stands,
there are going to be an awful lot of unhappy Mac users... very
soon.
extension my computer - want to communicate with. Apple did
not offer a choice, but failed to mention that there is a 'phoning
home' feature in OS 10.4.7. If they would have let everybody
know about it, and would have provided their customers with an
option to turn it off, nobody would feel violated. As it stands,
there are going to be an awful lot of unhappy Mac users... very
soon.
then why stop there? Why not "verify" all the other programs on
your computer? From there it's a slippery slope, with Apple
deciding what programs are worthy of verification, and who is
allowed to create "official" programs for the Mac -- and maybe
even eventually going the way of Nintendo and Sony, requiring
all Mac software to be licensed and shutting out hobbyists,
shutting out shareware, shutting out emulators or any other
programs they object to.
then why stop there? Why not "verify" all the other programs on
your computer? From there it's a slippery slope, with Apple
deciding what programs are worthy of verification, and who is
allowed to create "official" programs for the Mac -- and maybe
even eventually going the way of Nintendo and Sony, requiring
all Mac software to be licensed and shutting out hobbyists,
shutting out shareware, shutting out emulators or any other
programs they object to.
Asking for registration is really quite modest. I really don't have
a problem with Apple wanting to find out who their customers
are.
As the other poster said, you can bypass the process by quitting
(which is not as hidden as you describe since, I think, Quit is
available as a menu choice -- besides command-Q is hardly
undocumented; it's been the way to quit any Mac program since
1984). Or, you can supply phony contact information if it really
bothers you.
Asking for registration is really quite modest. I really don't have
a problem with Apple wanting to find out who their customers
are.
As the other poster said, you can bypass the process by quitting
(which is not as hidden as you describe since, I think, Quit is
available as a menu choice -- besides command-Q is hardly
undocumented; it's been the way to quit any Mac program since
1984). Or, you can supply phony contact information if it really
bothers you.
off. In case people are paranoid about clicking links (I am when
using a winblows box), the instructions are as follows:
1. Open Terminal.
2. sudo mv /etc/mach_init.d/dashboardadvisoryd.plist /etc
mach_init.d/ dashboardadvisoryd.plist.disabled
3. Reboot.
Not so bad. Ever go through removing that WGD (Winblows
Genuine DISadvantage) trash from your system before? I have,
let's just say it's not quite so easy.
Since we're comparing this to WGD, would someone mind telling
me how Apple could use this to disable your system? That's what
ticked me off about WGD - I couldn't use my own computer for a
few days until I called M$ and read them a bunch of useless
numbers, then entered another bunch of useless numbers. And
for those who figure I'm a nefarious type, no my XP license isn't
in question (it's perfectly legal) and no I haven't upgraded
anything on my box in years (same processor, memory,
motherboard, HD, etc). WGD literally locked up my computer
because my firewall prevented it from phoning home upon
installation (it can be argued that's my fault, since I blocked it). I
seriously doubt Apple could do the same with this.
That said, this wasn't a good move for Apple to say the least. I
wish these companies would learn to come clean about stuff like
this, it wouldn't bother people as much as discovering it this way
does.
off. In case people are paranoid about clicking links (I am when
using a winblows box), the instructions are as follows:
1. Open Terminal.
2. sudo mv /etc/mach_init.d/dashboardadvisoryd.plist /etc
mach_init.d/ dashboardadvisoryd.plist.disabled
3. Reboot.
Not so bad. Ever go through removing that WGD (Winblows
Genuine DISadvantage) trash from your system before? I have,
let's just say it's not quite so easy.
Since we're comparing this to WGD, would someone mind telling
me how Apple could use this to disable your system? That's what
ticked me off about WGD - I couldn't use my own computer for a
few days until I called M$ and read them a bunch of useless
numbers, then entered another bunch of useless numbers. And
for those who figure I'm a nefarious type, no my XP license isn't
in question (it's perfectly legal) and no I haven't upgraded
anything on my box in years (same processor, memory,
motherboard, HD, etc). WGD literally locked up my computer
because my firewall prevented it from phoning home upon
installation (it can be argued that's my fault, since I blocked it). I
seriously doubt Apple could do the same with this.
That said, this wasn't a good move for Apple to say the least. I
wish these companies would learn to come clean about stuff like
this, it wouldn't bother people as much as discovering it this way
does.
Of course, that won't stop ignorant folks from spreading the usual FUD...
Of course, that won't stop ignorant folks from spreading the usual FUD...